Tuesday, August 10, 2021

Web Service Security Policies in Oracle Fusion

Indeed we can use basic authentication (login/password) to authenticate all Webservices in Oracle ERP Cloud .. but what if we want to have a better level of security ? Let's see more effective methods to securely access Webservices in Oracle Fusion.

Oracle Web Services Manager (OWSM) policies enforce and enable web service security in Oracle Fusion Applications.

Whilst the basic authentication might be sufficient in some cases, there are more secure ways to use Fusion Applications web services.

This involves the use of a secure session header token. The token expires within a few hours of being generated.

Tokens are encrypted and signed.

SOAP Web services policies -

  • SOAP web services are secured by a global server-side policy called oracle/wss11_saml_or_username_token_with_message_protection_service_policy

  • SOAP WSDLs contain an X509 certificate in binary format.
  • This needs to be imported into the client machine certificate key store.

  • This helps the client application in encrypting the web service requests made to ERP Cloud and the cloud environment decrypts the request upon receipt.

  • Additionally, a certificate needs to be generated on the client machine and then imported into the Fusion Applications environment certificate keystore. Oracle Support can help with importing the certificate into a Fusion Applications environment.

REST Web services policies -

  • REST services are secured by a single global server-side policy called oracle/multi_token_over_ssl_rest_service_policy

  • This policy supports three different authentication mechanisms -
  • Basic Authentication - A combination of the username and password are base64 encoded and passed in the header to authenticate to use the Web Service.

  • JWT https header token
    - JSON Web Tokens (JWT) are used to store session data
    - Oracle Fusion Applications stores session information within a JWT token and therefore it can be used to maintain a session.
    - The JWT token is retrieved during the authentication process and is then placed in the header of every REST service request.
    - JWT tokens expire after a few hours and a new one is necessary to continue the session.

  • SAML 2.0 https header token
    - Similar to JWT, Security Assertion Markup Language 2.0 (SAML 2.0) tokens can be stored in the HTTP header to authenticate and authorize a user.



Post a Comment