Securing SOA Suite 11g with OES

This is a topic that spans both SOA and Access Management (OES).

Again, the steps in the post are not officially supported.

Now that I've got the WLS SM running inside of the domain, I'm working on configuring a Java callout inside of a BPEL process to OES. Better get my DOM API guide handy ;)

More soon.

Authorization Decisions - To Pre-Cache or Not to Pre-Cache, That is the Question

There is a common pattern of entitlements solutions which "require" authorization decisions to be pre-cached. What I mean by pre-cached is that at startup, all of the authorization decisions for all of the users for all of the resources are loaded into an in memory cache. This in-memory cache can be either local to the application or in a central location(s). There are a few reasons why to do this. The most obvious is performance - finding a entry in a HashMap should be very very fast (sub microsecond). The other reason I've heard is a high availability requirement. The in-memory cache is also backed-up onto disk (securely) so that in the case that the user can authenticate to the system but the systems that the PDP needed information from (PIPs) are not available, a decision can be returned.

To be fair, I'm not sure that this pattern is common across all customers, but I have seen it many times in Financial Services. This makes a lot of sense...very fast, very available authorization solution - fits well with things like front-office trading systems. So, what's the problem?

So there seems to be a couple of issues with this model.

• Issue 1 - Update latency. If there is a change, how long does it take to get that change to be enforced in an application? Well, it depends on the scope of the change...for example, if a country changes the rules on what constitutes an adult or what constitutes legally married, then you may have to re-calculate the entire cache, and this can take a long time...hours, days? If its a more isolated change, like a privilege on an account, then the change is more isolated, but this touches on the second issue
• Issue 2 - Cache consistency. Since this model is really for very fast, very available solutions, you're not going to have one instance of the cache. So, now you need to make sure that you've updated all the copies of these records, and probably need to make sure that its done transactionally...don't want different behavior based on which server in the cluster you hit. These first two issues can be solved with a really advanced distributed cache, but, the third issue and the one that seems to be the "killer" for pre-caching
• Issue 3 - Context based authorization. Simply, "What if the authorization decision depends on some information I don't know until request time?"

Sorry, for the long preamble, but what I really wanted to talk about is this third issue of context based authorizations working in conjunction with pre-cached authorization data/entitlements. By definition, since it can be known before hand, the information is static - groups the user has, accounts the user has access to, organizations the user belongs etc. Maybe as an alternative to pre-caching, get this information once, at authentication time and store it....where?

The simple answer would be in the application session, but what I've done on a number of occasions, and has worked very nicely is stored it in side of the Subject as Principal objects. This approach covers most of the same HA use cases as pre-caching with disk back-up, except in this solution if those systems are down when you try to authenticate you won't be able to login - depending on how you set the JAAS control flags. Also, this lends itself very nicely, in the case of OES, to the creation of a custom authentication provider - basically a JAAS Login Module. Its purpose is to go fetch the static information and hold onto for the duration of the JAAS Subject. This is effectively the same as the session. This approach also adds "no time", since most authorization requirements don't include authentication. The business requirement is that transactions are processed quickly - sub ms - and they will be since all of the information is stored inside of the JAAS Subject, in memory. Also, the latency of change goes way down...the user gets new entitlements every time they log out.

Now that I've re-factored the static data into the JAAS Subject adding context based authorization is pretty straight forward. The new "policy combining algorithm" is in most cases allow if the static entitlements are granted and if there are context based authorization policies, those policies must evaluate to "grant". In OES, this can be done by:

DENY (//priv/all, //sgrp/foo/allusers, //app/foo) if not static_entitlements_granted()

In this model all of the logic is burried inside of the custom evaluation function, but I could have used attribute retrievers to parse the Principal objects in the Subject and exposed more of the logic into the policy.

DENY (//priv/all, //sgrp/foo/allusers, //app/foo) if not "ent1" in [user_entitlements]

So now that the existing rules are in place, just go add some new context based authorization

GRANT (//priv/read, //sgrp/foo/allusers, //app/foo/sensitive_materials) if authentication_method = "strong"

Context could include network, authentication method, user limits, historical patterns (OAAM), time of day etc.

In order for this type of model to be a true replacement for pre-caching, it assumes that the underlying authorization engine is fast...that it can do authorizations in the sub-ms range. I can't disclose any confidential information in this forum, so you'll have to draw your own conclusions about the performance of OES. I can say I've built solutions like this with a number of customers, and they've been very pleased with the result.

Oracle Identity Federation 11g is Now Live

We launched Fusion Middleware 11g today. It's not just announcements - the software is ready to download.

There is more information on the updated Identity Management site.

It's a major milestone for Oracle Identity Federation reflecting over 2 years of work.

So what is new?

First - all 11g Identity Management components are now integrated with Enterprise Manager Fusion Middleware Control (EMFMC). EMFMC provides customers with operational monitoring (is the server up/down, how is it performing) and is the single point of access for logging and auditing.

Second - Oracle Identity Federation now is a J2EE app and comes deployed on Oracle WebLogic Server 10.3.1 OOTB.

Third - we introduced a new unified architecture across all protocols - Oracle Universal Federation Framework. It is much easier now to plug the OIF into existing environments and to build integration extentions.

To learn more about the benefis of the new version, visit the product documentation site.

Over the next few posts - I will continue to provide more information of OIF 11g.

New OAM 10.1.4.2 Certifications Released (June 2009)

The following new OAM 10.1.4.2 Certifications have been released:
1) Oracle HTTP Server (OHS) 10.1.3.4+ v2.0 (64-bit) WebGate for HP-UX Itanium 11.23 and 11.31
2) Lotus Domino Web Server 8.5.x (64-bit) WebGate for Windows 2003 EE SP2+ and Windows 2008 EE - x86-64 hardware
3) Sun Java Webserver 7.0.x (64-bit) WebGate for Solaris 10 (64-bit) - SPARC S2 hardware

Additional Resources:
OTN (download) location
OAM 10.1.4.x Support matrix location
OAM 10.1.4.x Package list location

Authentication and Authorization - Identity Services in OAM and/or OES

Recently, the question came up on how to expose authentication and authorization as identity services inside of the Access Management Suite.

Two solutions:

OES - Web Services SM configured with OAM SSPI Connector
OAM - Access Management - ASDK - with custom web services wrapper

Both definitely good choices. A few quick thoughts on when each would be appropriate.

OES WS SM can be configured with OAM SSPI connector to consume OAM sessions - ObSSO cookies, but it can also be configured to consume SAML Assertions. It can be configured to return, in response to an assertIdentity call different types of tokens, including a SAML assertion. On the authorization front, OES does fine-grained authorization. The Web Services wrapping the Java API is what it is - works well, but is not integrated with any container. It also exposes a standard authorization service with XACML.

OAM with custom web services wrapper works with ObSSO cookies and focuses on coarse grained authorization, like what is typically required for URLs. The Web Services implementation, since its built on-top of the container is integrated. Also, its very simple to take a POJO and turn it into a fully functioning web-service.

So, basically if you need to extend OAM to have a SOAP interface for authentication and coarse-grained authorization, wrapping the ASDK in a web-service seems like the way to go. If you need more of a heterogeneous implementation which is expected to integrate using standards like SAML and XACML and has fine-grained authorization requirements, then the OES WS SM solution makes the most sense.

Using OES to Secure POJOs - Fact or Fiction?

In providing access control, there are two "main" functions - policy enforcement and policy evaluation.

The Policy Enforcement Point (PEP) intercepts the request and asks the Policy Decision Point (PDP) to evaluate the request. The PDP responds - yes/no - and then the PEP either lets the call continue or blocks the request. A good example of this whole model can be found in the XACML spec.

So, when looking at the question "Can OES be used to secure POJOs?" we need to looks at both parts of the model - PEP and PDP.

On the PDP side, OES is sufficiently flexible to perform the task. The OES resource model allows for a hierarchal names. This maps nicely to Java class names:

//resource/com/foo/Customer

Using this model, you could write policies to block access to packages or classes - sorta useful. But probably not the main case. What about methods? There are really two choices here. The first is mapping the method invocation to the action.

//priv/getBalance //resource/com/foo/Customer

The second is going with a generic action and putting the action as the lead note of the resource:

//priv/invoke //resource/com/foo/Customer/getBalance

The latter makes it easier to write policies for "all actions on an object".

Now, what about access control at the instance level? I want to write a policy that says that 'Joe can get the balance of the customer if the customer is in state="MA"'

grant (//priv//invoke, //resource/com/foo/Customer/getBalance, //user/foo/Joe) if state="MA"

Makes sense, but how does OES get the state of the customer object?

OES has the ability to pass information from the PEP to the PDP. This includes Java objects. Either the PEP could use Java reflection to pass the attributes or the PEP could pass the instance (assuming its serializable) and OES could use attribute retrievers to get the values from the instance.

In a previous post, I discussed customers' desire for PEPs (Policy Enforcement Points). So, how would you go wire this in?

It depends on what container, if any, you are using. With no container, you need to look at AOP to insert these calls pre-method. In spring, you could do this with ACEGI + OES. If you are willing to make some small code changes, maybe look at securing the classes with custom java Permissions.

In my experience, I haven't seen a need for securing all POJOs. If this is the case, then use Java Security and custom permissions. What I have seen is the need to secure a small number of very sensitive classes. In this case, look at what the container provides, or possibly modifying the class to explicitly call to OES.

Oracle Enterprise Single Sign-on Suite version 10.1.4.1.0

The new version of the Oracle Enterprise Single Sign-on Suite version 10.1.4.1.0 is officially released and is posted to OTN for download. Check it out.

Product Download on OTN : http://download.oracle.com/otn/nt/ias/101401/as_windows_x86_esso-suite-multi-language-101410.zip
Docs for 10.1.4.1.0 : http://download.oracle.com/docs/cd/E12472_01/index.htm

Here are some of the new features in this release that is worth exploring

• New ESSO-LM User Interface
• Updated Change Password User Interface
• Administrative Improvements
• Notification Service
• Do not Add Predefined Templates to Bulk-Add by Default
• Avoid Sending Admin Overrides for Certain Registry Keys
• Domain Password Validation for Credential Sharing Groups
• Infrastructure to Support Reporting Server
• Authentication Enhancements
• New Windows Logon v2 Installer Options
• Network Provider Support for Windows XP and 2000
• Share Authenticator Credentials with Synchronizer
• LDAP v1 Logon Method now supports multiple Active Directory domains.
• Newly Supported Systems
• PuTTY v0.60
• Newhart Systems BLUES 2000
• Jolly Giant QWS3270 PLUS v4.4
• Mozilla Firefox 3.0
• Siemens DirX Directory v8
• IBM Lotus Notes 8.0.1

BT and Oracle: Managed Fraud Reduction Service

British Telecom and Oracle are working together to help customers prevent fraud and verify identity with a combined solution. The combination of the real-time behavioral profiling, transaction analysis and identity verification make MFR a powerful and complete solution for customers in many different verticals. Here are some good articles written recently about this unique new offering from two industry leaders.

http://www.anti-keylogger.org/news_world.cgi?id=5356
http://www.pcw.co.uk/vnunet/news/2241280/bt-unveils-managed-security
http://uk.news.yahoo.com/16/20090428/ttc-infosec-2009-bt-unveils-managed-secu-6315470.html

Standard Life Chooses Oracle IdM

CBR Online posted an interesting article about Standard Life's decision to use Oracle access management products to secure it's sensitive applications. Standard Life will be using OAAM and the other access products to protect both customer and employee facing applications. Read the article...

http://www.cbronline.com/news/standard_life_to_roll_out_oracle_id_190209

Fraud Flash for the week of December 1, 2008

Dec. 1, 2008
'Perfect storm' Conditions line up for identity theft
http://www.elpasotimes.com/ci_11108752?source=most_emailed
From 8.5 million to 11 million U.S. consumers become victims of identity theft each year, depending on the estimate you use, said Levin, the former director of the New Jersey Division of Consumer Affairs.

Phishing Attacks Set New rerecords During September-October 2008
http://www.spamfighter.com/News-11380-Phishing-Attacks-Set-New-rerecords-During-September-October-2008.htm
A researcher at internet security company, Cyveillance, claims that in the past 60 days (September-October), phishing attacks have set new records in terms of frequency and volume, as reported by darkreading on November 17, 2008.

iDefense - Phishing E-mails Become More Sophisticated & Stealthier
http://www.spamfighter.com/News-11378-iDefense-Phishing-E-mails-Become-More-Sophisticated-Stealthier.htm
According to the statistics given by the company, within a span of six seconds, a new malware gets ready to be installed on the system. Once installed, it becomes extremely difficult to detect it, which, in turn, makes way for a spear-phishing attack.

OSU’s Students & Staff Targeted by Phishers
http://www.spamfighter.com/News-11379-OSUs-Students-Staff-Targeted-by-Phishers.htm
The spoofed e-mail asked the recipients to log-on to a fake website to catch the current news and information about OSU and directed users to the virtual webmail page of the university. As soon as the page is logged-on, the victims were directed to Ohio State Newark web page. This page is utilized to archive the passwords and usernames of the visitors that can be sold to the criminals.

Variations on a Theme: SOA Security Best Practices

Since posting at OOW, I've had a few follow-up discussions - inside and outside or Oracle - about the architecture I presented there. I think the main point I wanted to convey was that there is not a one size fits all for SOA Security - or any security for that matter. That having been said, I would like to comment on two variations which have been suggested.

1 - Instead of using OWSM to protect an end-point could I use OSB?

OWSM (Oracle Web Services Manager) and OSB (Oracle Service Bus) are complimentary technologies. This is not exclusively an either or situation. For example, for public facing web-services, using OWSM to protect the perimeter makes sense. This is the SOA equivalent of using Web SSO (like Oracle Access Manager) to ensure only authenticated traffic accesses the network. Assuming that the services are hosted in OSB, and accessible from inside of the network, it makes sense to have some security on these services as well. In OSB, different proxy services can have different security policies even though they point to the same business service.

So in summary, I could have used OSB instead of OWSM+WLS in my OOW demo. I could have also used both. The scenario was an employee intranet calling out out-sourced HR provider. That HR service publicly exposed on the internet make sense for OWSM+OSB architecture described above.

2 - Instead of using SAML to pass identity from application to could I use my Web SSO token?

In the demo, I used the Credential Mapping capabilities of WLS to generate a SAML assertion, but what if you're running on a container/Web Services client stack that doesn't have that feature? Is there any issue with just passing the SSO cookie in the HTTP header or as part of WS-Security using BinaryToken profile?

There are two separate issues here - the first is the quality of the token (Web SSO vs SAML) and the second in message level security.

Both SAML and Web SSO cookies have some ability to prevent being re-used unauthorized ways - IP Address Checking or Audience restrictions - and have some notion of timeout - Session Timeout or Validity periods. I think one issue when choosing SAML vs. Web-SSO is the duration of the transaction. For example, in the demo, let's assume that the large raise service required approval. In this case, by the time the transaction is approved, it's quite likely that the Web-SSO ticket has expired. A SAML assertion generated for the specific purposes of the transaction could have a longer validity period - weeks. Regulations like PCI require sessions to timeout in 15 minutes.

Regardless of token, to ensure that the credentials are not mis-used, the digitally signing the message essentially "staples" the credential to the message. Taking the credential and adding it to a different message will not work. This ensures that the token - SAML or otherwise is used appropriately. This and other techniques are covered in some detail in the WS-Security SAML Token Profile.

So, in both of the two variations, the answer is "it depends". I wish it was more straight-forward, and I had some universal best practices. I'm happy to share my thoughts on this blog or elsewhere - preferably some place warm :)

Fraud Flash for the week of November 17, 2008

Oct. 24, 2008
'Phishing' fraud e-mails hit Huskymail accounts
http://media.www.dailycampus.com/media/storage/paper340/news/2008/10/24/News/phishing.Fraud.EMails.Hit.Huskymail.Accounts-3505114.shtml
Over the last couple of months, an e-mail fraud attempt known as phishing has hit the university's e-mail server, putting thousands of students at risk, according to a report released earlier this week on the university's information and technology security Web site.

Nov. 17, 2008
Celent Tackles Insider Fraud
http://www.americanbanker.com/btn_article.html?id=20081029IGFNE94L
Insider fraud accounts for 60 percent of bank fraud cases where a data breach or theft of funds has occurred, yet in the last three years, just nine percent of financial services data breaches were a result of insider fraud.

ID Thieves Are Targeting Home Equity Lines
http://www.foxbusiness.com/story/personal-finance/id-thieves-targeting-home-equity-lines/
The FBI says HELOC thieves typically use stolen identification to apply online for a line of credit in your name. Then they instruct the bank to wire the funds to their accounts, providing their own contact information in place of yours.

Oracle Adaptive Access Manager 10.1.4.5 (10gR3)

Oracle Adaptive Access Manager provides real time and offline context aware risk assessment, multi-factor authentication and authentication process hardening for enterprise and consumer web applications. Adaptive Access Manager makes it safer for all types of businesses to expose sensitive data, transactions and business processes to consumers, remote employees and partners.

I'm pleased to announce the release of OAAM 10gR3. This release contains a lot of exciting new enhancements that the market has been asking for. Increased effectiveness, ease of use, and adaptability were the main themes of this release. The major areas of enhancement are globalization, behavior profiling, investigation tools, dashboard, reporting, proxy support, configurable actions and the administration interfaces.

1. OAAM 10gR3 has been localized for the standard set of languages supported by Oracle products. Specifically, Adaptive Risk Manager supports the nine standard administration languages and Adaptive Strong Authenticator supports the twenty-six standard runtime languages.
2. Behavior profiling uses administrator defined patterns to profile the behavior/activity of entities such as users, devices, IPs, shipping addresses, credit cards, email addresses, etc. The rules engine uses the profile data to evaluate the risk level of a situation based on comparisons of "normal" activity for the individual entity and all entities of the same type.
3. The new agent cases make forensic investigations quicker, easier and more successful. Events can be configured to create a case automatically. An investigator can quickly view the data involved in an incident and quickly locate related situations by easily harnessing the complex data relationships captured by OAAM.
4. The dashboard has expanded performance statistics and summary data as well as enhanced trend graphing capabilities.
5. A limited license of Business Intelligence Publisher is now included with OAAM so reporting can be fully customized to meet customer requirements. A collection of out of the box templates are provided that can be used as is or altered.
6. An Apache version of the "Universal Installation Option" reverse proxy is now supported to provide an alternative to the MS ISA proxy.
7. New configurable actions allow for customizations and integrations previously not possible. Custom code can be called directly by the ARM rules engine. This capability opens the door to almost unlimited possibilities.
8. The enhanced administration interfaces allow access to functionality previously available only to developers programmatically. The rule template editor allows a non-developer to create, edit and delete rule templates completely in the GUI. The transaction configuration screens allow the definition of a transaction and it's constituent data elements. As well various environment configurations are now exposed in the UI such as logging, properties and enumerations.

You can learn more about OAAM here

You can download OAAM here

Fraud Flash for the week of September 29, 2008

Sept. 30, 2008

Identity theft victim wins right to sue county clerk over posting of personal data

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115900&intsrc=hm_list

An Ohio woman whose identity was allegedly stolen after an image of a speeding ticket containing her personal information was posted on a county government Web site can sue the county official responsible for putting such records online, a state appeals court in Cincinnati ruled last week.

Oct. 1, 2008

Online fraud rises by 185 per cent

http://www.timesonline.co.uk/tol/money/consumer_affairs/article4860081.ece

The amount of money lost to internet fraudsters specifically targeting banking customers rose by an alarming 185 per cent in the first six months of 2008 because of an increase in phishing attacks and spyware scams, according to Apacs, the payment industry association.

Online fraud nearly doubles in just 12 months!

http://financialadvice.co.uk/news/3/householdbills/8057/Online-fraud-nearly-doubles-in-just-12-months.html

If ever there was a sign that we are in real trouble with worldwide economies it is the massive growth in online fraud as more and more people throw their common sense out of the window and chase an array of free money, gifts and other such prizes.

Oct. 2, 2008

New phishing attempt targets bank customers

http://news.cnet.com/8301-1009_3-10057180-83.html

Many people are wondering what to do now that their bank has been acquired in the wake of the lending crisis. Well, whatever you do, don't click on links in e-mails purportedly sent by your bank.

Security firm SonicWall said Thursday that it has been seeing e-mails that attempt to lure people to fake bank Web sites, where they are asked to re-verify their personal and bank information as part of a merger.

Phishing scams cash in on bank crisis

http://www.mxlogic.com/securitynews/email-security/phishing-scams-cash-in-on-bank-crisis083.cfm

Businesses need to be on the lookout for phishing scams trying to cash in on the current economic crisis gripping the US. According to JP Morgan, customers using its Chase services have been receiving spam emails from fraudsters trying to commit identity theft and fraud by coaxing users into giving them account information.

SOA Security - ADT or Crocodile Filled Moat?

I'm sitting here in the middle of the Moscone center as OpenWorld 2008 comes to an end. It's been a long week, but I wanted to take some time to capture some thoughts on my first open world presentation.

This morning, Eric Leach and I presented to an enthusiastic group on securing WebLogic applications with Oracle Access Management. As the "technical guy", I put together a demo of Oracle Access Manager, Web Logic Server, Oracle Entitlements Server and Oracle Web Services Manager all working together in a "best practice" architecture.

The demo covered a fairly common scenario: end-to-end security in a SOA. For example, the customer already has an investment in OAM, and they need to extend that security capabilities down to the rest of the architecture - applications, services and data.

In the past, I think that the temptation would be to use OAM. Prior to the emergence of the entitlements market, WAM was the only COTS solution for externalizing authorization. WAM products are most successfully deployed when focused on the problem of web SSO. Authorization and the centralized management of security policy is better handled by Oracle Entitlements Server - OES.

I used OES to provide authorization for JEE resources, JSP pages, and Web Services. Both OES and OAM used a common directory - Oracle Internet Directory - as a system of record for users, user attributes and group memberships. This information fed the policies enforced by OES.

In order to have these policies enforced correctly, the various enforcement points need to have the correct user identity. The problem of propagating identity across an SOA is not a simple one. In the course of the demo, I actually had to use multiple mechanisms. The identity from OAM to WLS is passed via OAM Session cookie. WLS then generates a SAML Assertion and passes it in the WS-Security Envelope to a OWSM. OWSM in making the very fine grained access control checks to OES uses a simple USERID_TOKEN (username). In theory, I could have used SAML for all of these interactions, but in many cases the full on SAML is too much.

Like most everything in security, there is no "correct" answer - no perfect solution. The solution that I demonstrated using OAM, WLS, OES and OWSM is an attempt at a reasonable 80% case - something which most customers could use as a jumping off point for defining their own solution.
I think a good analogy in information security to "How much security is enough security?" is "What alarm system should I buy for my house?". I like to think of the solution I outlined in the OOW session as the "ADT Starter Package" of solutions - pretty good for most single family residences. Most houses don't need a moat or guard dogs, but a military base needs more than a "Keep Out" sign...you get my point :)

Thanks again to everyone who attended the session and all of the questions. I gave out quite a few business cards, so I hope to hear from all of you. For those who didn't attend, once I get home, I'll add the relevant links form the session, and hope to drive some discussion around the solution.