Getting requestor’s IP address through Oracle WSM

Oracle Web Services Manager (OWSM – some people pronounce it as ‘Awesome’) plays an important roll in Oracle’s contribution to SOA governance. Put simply, it brings better control and visibility over how, when and by whom, web services are invoked. OWSM, which is a key product in the Oracle SOA Suite, was voted one of the best security solutions by SYS-CON Media, the world’s leading i-technology media and events company in it’s 2007 SOAWorld Readers’ Choice Awards.

Apart from the predefined policies, OWSM provides an extensibility point to define a custom policy step that can be executed as part of the request or response pipeline. There is an Oracle by Example (OBE) tutorial available that provides details for creating a custom step. The custom step authenticates the user against a fixed set of username/password credentials configured in the policy step pipeline.

You can go one step further and check IP address of the requesting client by accessing the HttpServletRequest in the MessageContext in the execute operation of your custom step code.

import com.cfluent.pipelineengine.container.MessageContext;

((HttpServletRequest) ((
MessageContext) messageContext).getProperty(“javax.servlet.request”)).getRemoteHost()

Remember that if there are proxies or NAT address translations between the requester and the provider you won’t know the real source IP. Clearly this only works for HTTP based requests. However, a similar approach could be used for JMS.

It is worth mentioning Vikas Jain’s Web Services Security blog which is a treasure trove of useful information on OWSM.

Changing post-installation configuration for Oracle Access Manager Identity Server

Oracle Access Manager is an enterprise scale solution for both centralized identity management and access control. It integrates out-of-the-box with all leading directory servers, application servers, web servers, and enterprise applications. By protecting resources at the point of access and delegating authentication and authorization decisions to a central authority, Access Manager helps secure web, J2EE, and enterprise applications. It also provides self service administration functionality, complying with the authentication and authorization policies that are defined centrally. Not only that, Access Manager has API’s for customisation and integration, making it possible address a number of functional and non-functional requirements for security solutions in different industries. However, it’s most topical feature is it’s Single Sign-on capabilities. Making it a very attractive solution for enterprise deployment of SOA software solutions.

As you would expect with software that does so much, there is a lot involved in setting up Oracle Access Manager. Although it is not very complicated, there are a significant number of steps which have to be done right. Thankfully, these steps are set out in an Oracle By Example series which provides step-by-step instructions on how to perform a variety of tasks by integrating Oracle Virtual Directory with Oracle Access Manager.

When setting up Identity Server and Web Pass there is a post-installation configuration sequence which is really straight forward. However, if you make a mistake, which is not addressed before the setup completes, how do you change these settings? Here’s how…

The post-installation configuration process involves a number of screens. The status of the configuration is maintained by the Identity Server in identity/oblix/config/setup.xml. To trick the Identity Server to take you through the post-installation configuration process again when you click on the ‘Identity System Console’, you have to edit this file.

Simply comment out the ‘status’ NameValPair element. Save the file and restart both the Identity Server and HTTP Server. Then, go back over the Postinstallation Configuration for Oracle Access Manager Identity Server as normal. Voilà!

Securing SOA

A recent white paper by Marc Chanliau, Oracle Fusion Middleware Product Management, on Web Services Security is now available on OTN. The What is required to secure SOA white paper gives a clear overview of the security requirements for services and how these requirements, with corresponding ‘standards’, have evolved.

In his paper, Marc discusses transport layer as well as application layer security for services. He also outlines the role of the many security related standards, technologies and tools out there. The approach taken shows how and where they compliment or overlap. Such topics include:

  • Confidentiality, Integrity, Authenticity: XML Encryption, XML Signature.
  • Message-Level Security: WS-Security.
  • Secure Message Delivery: WS-Addressing, WS-ReliableMessaging.
  • Metadata: WS-Policy, WS-SecurityPolicy.
  • Trust Management: SAML, WS-Trust, WS-SecureConversation, WSFederation.
  • Public Key Infrastructure: PKCS, PKIX, XKMS

Every web services developer should have an understanding of these concepts. I highly recommend this document as a basic primer in web services security.

SOA Governance isn’t about technology either…

Steve Jones summarises a few of the points from a recent ICSOC 2007 debate on SOA Governance and mentions some enforcement ideas in his recent Service Architecture – SOA: SOA Governance isn’t about technology either… article. He makes a good point about people and process.

In the same way that the Rules of the Road is not about what car you drive but about your behaviour and the behaviour of other road users. The reason we have Rules of the Road is because we know, and people recognise, the cause and effect of accidents as well as traffic chaos.

Highlighting SOA anti-patterns (e.g. IBM Article, SOA anti-patterns book) is a good start in bringing to people’s attention poor ‘driver behaviour’. However, as governance is really a business, rather than technical issue, and the business should be the ‘driver’, we also need a higher level exposition (ala Who moved my cheese?) of good business practice around ‘doing IT right’. Any volunteers?