Download - Opss Tech Presentation 133449
-
8/8/2019 Opss Tech Presentation 133449
1/26
Oracle Platform Security Services & Authorization Policy
Manager
Vinay ShuklaJuly 2010
-
8/8/2019 Opss Tech Presentation 133449
2/26
The following is intended to outline our
general product direction. It is intended for
information purposes only, and may not beincorporated into any contract. It is not a
commitment to deliver any material, code, or
functionalit , and should not be relied u on
in making purchasing decisions.Thedevelopment, release, and timing of any
features or functionality described for
Oracles products remain at the sole
discretion of Oracle.
-
8/8/2019 Opss Tech Presentation 133449
3/26
Agenda
Application Security Challenges
Oracle Platform Security Services
Powering the Next Generation of
Applications
OPSS as IDM Integration platform
Authorization Policy Manager Benefits
Summary
Resources
3 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
4/26
How do Applications Deal with Security Today?
Business applications need many aspects of security
Authorization
Authentication
BusinessApplications
Users
Provisioning
Identity Data
Audit
Federation
4 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
5/26
How do Applications Deal with Security Today?
Application developers end up building & embedding
security
User tables
LDAP Schemas
Role repository
Policy repository
eg s ra on
processes Administration
functionality
Profilemanagement
Security &business policyenforcement
BusinessApplications
Users
AppDevelopers
EnterpriseIdentity
Repositories
5 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
6/26
The Result..
Complexity
Lack of agility
CxOs Nightmare
Cost
6 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
7/26
Challenge : Complexity
Application security is fragmented
App developers are required tounderstand and implement security
Multiple apps with security holesleads to increased risk of breaches
Lack of visibility and manageability
of security and compliance
7 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
8/26
Challenge : Lack of Agility
Integration requires custom point-to-point hardwiring
Changes lead to redeployment & testing
Bolt-on solutions lead to vendor lock-in
.
.
.
User Tables
User ID & Password Stores
User Profiles & Preferences
Custom authenticationschemes
Complex authorization
needs Profile & Password
Management
8 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
9/26
Challenge : Cost
Time-to-Market Delays
Integration Costs
Administrative Costs
It Adds Up$
Lower IT Agility
Slower Innovation
9 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
10/26
What is needed of Security
Service Oriented & Application Centric Security
Externalized & loosely coupled
Application centric - supports application life cycle
Provides re-usable security services
Integrates with IdM
Standards based & Comprehensive
Security for the cloud ready enterprise
10 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
11/26
Oracle Platform Security Services
WebLogic ServerContainer
SOA Suite,WebCenter
BusinessIntelligence
Identity and AccessManagement
Jdeveloper,ADF
Oracle Platform Security Services
Introducing OPSS
The security platform for Oracle Fusion Middleware and Applications
Declarative, Enterprise-grade Security Framework
Standards-based services exposed through pluggable abstraction layers
Roles &Entitlements
Authorization AuditingAuthentication User Provisioning
Policy Store Session DataManagement
DirectoryServices
11 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
12/26
Authentication & Identity Services JAAS Login Modules
LDAP server integration
SAML, Kerberos, SPNEGO token support
Identity profiles via Identity Governance
Framework
Audit Framework Common Audit Framework (CAF)
Centralized Audit Policy Mgmt & storage
Pre-built BI Audit reports
E2E tracing through ECID
Oracle Platform Security Services
Key Features
Authorization Services JAAS Permissions
Role Based Access Control (RBAC)
Declarative support through ADF
and JDeveloper
Credentials and Cryptography Secure storage of credentials
Oracle Security Developers Toolkit (OSDT)
Based on Java Cryptography Extensions (JCE)
Supports XML-Sig, XML-Enc, SAML
12 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
13/26
JDeveloper
Oracle Fusion Middleware
Application Centric Security
Supports all phases of application life cycleSecurity Config (EM) Audit (EM) AuthZ Mgmt (APM)Application
Roles &
Entitlements
Authorization AuditingAuthentication User
Provisioning
Policy Store Session Data
Management
Directory
Services
Identity Store, Credential Store, and Policy Store Providers
LDAP Directories DatabasesFile
13 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
14/26
Oracle Platform Security Services
IDM enablement platform for Applications & Middleware
SOA
Authn Authz Creds &Keys
Audit ID Profile Trust XML SecurityCrypto, SSL
WebCenter ECM EPM BI RDBMS IDM
Fusion Applications Vertical Applications ISV Applications Customer Apps
Oracle Platform Security Services
AuthN AuthZ
Int.
OAM OES OAAM*OID, OVD
ODSEESTSOIM* OWSM
14 Copyright 2010, Oracle. All rights reserved
Security Service Providers
LDAPLDAP DatabaseDatabaseFileFileIdentity, Policy, Credential Store Providers
-
8/8/2019 Opss Tech Presentation 133449
15/26
Oracle Platform Security Services
Example: Authentication & Identity Profiles
Develop : JDeveloper
WLS Embedded LDAP
ID Store
Authentication
Form Based Authn
Test : Integrated WLS
Design Time
login()
logout()
getUserProfile()
getUserGroups()
etc.
OPSS
Declarative Development
Security Wizards
15 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
16/26
Oracle Platform Security Services
Example: Authentication & Identity Profiles
Develop : JDeveloper
WLS Embedded LDAP
ID Store
Authentication
Form Based Authn
Test : Integrated WLS
Design Time
login()
logout()
getUserProfile()
getUserGroups()
etc
OPSS
Declarative Development
Security Wizards
Deploy & Config : EM Runtime : WLS, WAS, JBoss
Production
OPSS
login()
logout()
getUserProfile()
getUserGroups()
etc.
Oracle or 3rd Party LDAP
ID Store
Authentication
OAM or 3rd Party SSO
Deploy & Config Wizards
Runtime Monitoring
16 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
17/26
Oracle Platform Security Services
Example: Authentication & Identity Profiles
Develop : JDeveloper
WLS Embedded LDAP
ID Store
Authentication
Form Based Authn
Test : Integrated WLS
Design Time
login()
logout()
getUserProfile()
getUserGroups()
etc.
OPSS
Declarative Development
Security Wizards
Deploy & Config : EM Runtime : WLS, WAS, JBoss
Production
OPSS
login()
logout()
getUserProfile()
getUserGroups()
etc.
Oracle or 3rd Party LDAP
ID Store
Authentication
OAM or 3rd Party SSO
Deploy & Config Wizards
Runtime Monitoring
17 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
18/26
Product What it does How it uses OPSS
Oracle ADF & WebCenter ADF is the framework
used to develop
WebCenter applications
(portlets, etc.)
Authentication, Authorization, Audit, Policy management,
Credential store framework, Identity Profile
Oracle SOA Suite Provides applications
designed to deploy SOA
environments (BPEL,
ESB, etc.)
Authentication, Authorization, Audit, Identity Profile,
Credential Store Framework
Oracle Entitlements Provides externalized Authentication, Identit assertion, Authorization, Role
Oracle Products using OPSS
Used by over 50 Products in FMW, Apps & GBU
Service (OES)
fine-grained authorization
mapping, Credential mapping, Cert. lookup, Audit.
WebLogic Server (WLS)
Container
Java EE server /
container
Authentication, identity assertion, authorization, role
mapping, credential mapping, Cert. lookup, Audit, SSO,
SSPI framework for third-party integration
Oracle Access Manager Enterprise Single Sign On Identity Assertion
Oracle Web Services
Manager (OWSM)
Provides SOA and web
services security
Authentication, Authorization, Key store service, Credential
store framework and Audit
Fusion Applications Next Gen Packaged
Applications
All services
18 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
19/26
Rationalized, Centralized, and Externalized Authorization policies & decisions
Authentication policies & services
User provisioning & administration Standards based
Natively built into our core technologies
Fusion Applications Security
One Integrated Security Solution
Integrated & understood across all components / tiers Reduce # of points of failure, modules with potential security holes
Simplify administration experience & reduce cost
Improved developer experience & productivity
Enforce security regardless of entry point
Allow customers and auditors to setup, and review policies centrally Single integration point to Oracle & 3rd party solutions
19 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
20/26
Identity ManagerAuthz Policy ManagerAccess Manager
Fusion ApplicationsSecurity Architecture
Single Sign-On Authz policy & App Role Mgmt Identity & Enterprise Role Mgmt
AuthenticationAuthentication
OES Policy Store OID ID Store
Fusion Applications
OWSM
OPSS
SPML
ADF, SOA, BI, WebCenter
Oracle RDBMSOracle RDBMS
20 Copyright 2010, Oracle. All rights reserved
User &User &Role ProfileRole Profile
AuthorizationAuthorization
Data security,Data security,AppsApps transaction datatransaction data
-
8/8/2019 Opss Tech Presentation 133449
21/26
Authorization Policy Manager
Overview
UI console for administration of OPSS based authorizationpolicies
Rich desktop like UI with drag n drop capabilities
Delegated Administration
Extensible
Standards based JAAS Permissions & Enterprise RBAC
Identity Store access through IGF / ArisID
For customers relying on Oracle ADF security for in house built ADF applications
Oracles next generation Fusion Applications
21 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
22/26
Oracle Identity Manager
Oracle Access Manager
APM Console
Identity Store
Users &Enterprise
Roles
Oracle Platform Security ServicesIdentity & Policy Model
Resource Catalog
Web Services
Data
URLs
UI Artifacts
Scheduled Jobs
Documents
Authz Policies Role Catalog
Application
Roles
Role Mapping PoliciesPolicy Store
22 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
23/26
OPSS/APMBenefits
Manage security from a single place
An adaptable security service infrastructure that more
closely models your business
Respond faster to changing corporate, regulatory, market
requirements
Reduce time-to-market
Better BusinessAgility
Prov es ner contro over t e protect on o a resources
Separates security decisions from application logic
Offers robust auditing of events
n ance ecur y
and Compliance
Centralizes security policy management
Enables reuse and sharing of security services
Frees developers up to focus on value-added business logic
Integrates easily with identity and access management
Increased ITEfficiency
23 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
24/26
Summary
Externalize security to get business agility, cost
saving & compliance
Oracles vision for Service-Oriented Security will
enable the creation of an Identity Infrastructure that
manages identity across both on-premise and cloud
environments
OPSS is the next generation security frameworkproviding development teams with a standards-
based, portable, integrated, enterprise-grade security
framework for Java EE and Java SE applications
APM is the Authorization policy management GUI for
OPSS based applications
24 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
25/26
Resources
OPSS @ OTN for OPSS Whitepaper OPSS FAQ APM Datasheet Help Forum Documentation on OPSS & APM
Sample App Blog
25 Copyright 2010, Oracle. All rights reserved
-
8/8/2019 Opss Tech Presentation 133449
26/26
For More Information
search.oracle.com
Oracle Platform Security