Actually even attending OpenWorld is an experience. I've been to plenty of tech conferences before but OpenWorld is unlike anything I've seen.
Everything about the conference is big - the number of attendees, exhibitors, sessions, even the number of venues since we took over Moscone North, South and West plus the Marriott across the street and the Hilton. The shear number and breadth of the content was astounding and I'm looking forward to taking advantage of the replays.
Beyond the actual size there's all sorts of attention to detail... Things like blocking off a street for tents for lunch and convenience between Moscone North and South, providing free food & drinks in the exhibit halls, running busses from all of the area hotels to the Moscone. And then, just to say thank you to our customers there was a concert on Wed night with Aerosmith, Roger Daltrey, the Wailers and Three Dog Night.
I managed to get to the keynotes from Scott McNealy, Michael Dell, and Thomas Kurian but was in a customer meeting during Larry's and will have to catch it on replay. From what I've seen on Twitter, blogs and press releases he shared the stage with The Governator, talked about the Exadata V2 box, introduced Fusion Apps (the first enterprise apps built on a modern middleware platform) and a bunch more.
And then there's the actual sessions...
In what I'm sure was a complete mistake someone approved me to do a session on securing WebLogic applications. Naturally I should never be trusted to do something like that on my own so April, the OES product manager, and I did the presentation together.
The session was standing room only and atypically for technnical presentations the entire thing went off without a hitch. April did the slide show and then I ran through a demo. Since we had a strict time limit I decided to use a recording of the demo rather than doing it live. I had the live system ready if people wanted us to go off the script or dig into unexpected areas and I wound up using it to show people the code behind the scenes. The recording turned out to be a great idea since it freed me from having to remember which username to log in with and let me focus on what was actually happening and keep a closer eye on people's reactions.
The core take away from our presentation was that if you have J2EE apps deployed on WebLogic Server you should take a very close look at two other Oracle products - OAM and OES. OAM gives you single sign-on across all of your apps including both home grown and shrink wrapped. Web SSO is a well known technology, is pretty widely deployed and, I don't recall anybody in the audience asking any questions about that.
OES was a whole 'nother story. There were questions about nearly every aspect of OES including details of the components, the policy model, how it integrates into WebLogic, what the app server protect automatically, how it's used in an app, and of course licensing questions. April fielded a few questions about integrations with other products I'd not even heard of before and then we ran out of time. After we were kicked out of the room I spent another 20-30 mins in the hallway showing people various aspects of the GUI and answering even more questions about the product. All in all I couldn't have asked for a better experience with my first session.
Unfortunately after the presentation was over and I was headed over to get a bite to eat with Josh I realized that I'd completely forgotten to put a link to the blog! If you're reading this after attending my session thanks for making the effort to find me here!
Showing posts with label oow09. Show all posts
Showing posts with label oow09. Show all posts
Thursday, October 15, 2009
Wednesday, October 14, 2009
OOW 2009 Presentation Questions
Thanks to everyone who attended our session yesterday. I'll be posting a recording of the demo shortly, but wanted to share a few questions from the audince.
"Can you apply OWSM policies at the operation level or only at the endpoint level?"
So, in contract to the existing WLS @annotation model, you can only apply policy at the endpoint level. Authorization can be done from within that policy based on the authorization, as we showed with the OES-OWSM custom assertion
"How is the SAML Assertion generated and consumed?"
The SAML is generated from within the OOTB OWSM SAML Assertion (policy assertion). It uses configuration information defined in the jps-config.xml - like the name of the issuer. The SAML is validated by the login module - but this is a different login module then the SAMLAuthenticator or SAML capabilities of native WLS.
These are not meant as dings against OWSM. As a long time WLS Security guy, I've become very pleased with the simplicity and ease of configuration that is provided by OWSM. I also really like the extensibility of the custom assertions - allows you to plug in deep inside of the web-services stack, and that is going to be handy at a TON of customers.
"What is the difference in positioning between OWSM and OSB?"
I think that the decision of when to use OWSM and when to use OSB goes well beyond the security capabilities. I think that there are some use cases around where using the SAML (partner management) capabilities of the WLS stack that is available with OSB would make sense, but this has to be weighed against the fact that OSB uses the WLS 9.2 Web Services stack.
I think that OWSM should not be confused with a full service bus. OWSM is a policy management layer for Web Services....OSB is way more than that.
"Can you apply OWSM policies at the operation level or only at the endpoint level?"
So, in contract to the existing WLS @annotation model, you can only apply policy at the endpoint level. Authorization can be done from within that policy based on the authorization, as we showed with the OES-OWSM custom assertion
"How is the SAML Assertion generated and consumed?"
The SAML is generated from within the OOTB OWSM SAML Assertion (policy assertion). It uses configuration information defined in the jps-config.xml - like the name of the issuer. The SAML is validated by the login module - but this is a different login module then the SAMLAuthenticator or SAML capabilities of native WLS.
These are not meant as dings against OWSM. As a long time WLS Security guy, I've become very pleased with the simplicity and ease of configuration that is provided by OWSM. I also really like the extensibility of the custom assertions - allows you to plug in deep inside of the web-services stack, and that is going to be handy at a TON of customers.
"What is the difference in positioning between OWSM and OSB?"
I think that the decision of when to use OWSM and when to use OSB goes well beyond the security capabilities. I think that there are some use cases around where using the SAML (partner management) capabilities of the WLS stack that is available with OSB would make sense, but this has to be weighed against the fact that OSB uses the WLS 9.2 Web Services stack.
I think that OWSM should not be confused with a full service bus. OWSM is a policy management layer for Web Services....OSB is way more than that.
Monday, October 12, 2009
OOW Initial Impressions
Since I had to get up a 4 am to make my 6 am flight out to OOW, I am a little tired, but I had a few minutes back at the hotel before going out to dinner with IDM PM team, so just wanted to muster a quick post.
I forget how BIG Oracle is sometimes. OOW is a massive production, like an invasion of the Moscone center. It took me many minutes inside of the Oracle Demo grounds to find FMW, then IDM, then the people I was looking for to prep for my session tomorrow.
Once inside, some good discussions about a few use cases. I'll put this one out to the blog - in the OES, OWSM integration "Where should the policies for authorization, and specifically the policy defining the XPath of the attributes OES needs for authorization be managed?" For the presentation, I have them in OES policy, but I think there is a reasonable argument for them being defined inside of the OWSM policy. My thinking is that the encryption and signing policy (i.e. what parts of the body should be signed) are managed there...why not something like "Authorization XPath". Its obviously not as flexible....OES can determine on a per use or per role basis which attributes are required, but sometimes simpler is better, and maybe just having XPath defined in OWSM makes more sense. I'm on the fence...push me over.
Lunch with the boss, who even though I've worked for him for many years, I rarely get to see him face-to-face. Sushi across the street from Moscone is always good.
Also, at Hasan Rizvi's keynote, he made mention of a "standards based security platform for all of FMW" which is code for OPSS....solid mention.
Vikas and I finally huddled up and reviewed the demo/presentation for tomorrow. I'm excited, I think it all has come together quite nicely. Hopefully, I'll see some of you there tomorrow afternoon.
I forget how BIG Oracle is sometimes. OOW is a massive production, like an invasion of the Moscone center. It took me many minutes inside of the Oracle Demo grounds to find FMW, then IDM, then the people I was looking for to prep for my session tomorrow.
Once inside, some good discussions about a few use cases. I'll put this one out to the blog - in the OES, OWSM integration "Where should the policies for authorization, and specifically the policy defining the XPath of the attributes OES needs for authorization be managed?" For the presentation, I have them in OES policy, but I think there is a reasonable argument for them being defined inside of the OWSM policy. My thinking is that the encryption and signing policy (i.e. what parts of the body should be signed) are managed there...why not something like "Authorization XPath". Its obviously not as flexible....OES can determine on a per use or per role basis which attributes are required, but sometimes simpler is better, and maybe just having XPath defined in OWSM makes more sense. I'm on the fence...push me over.
Lunch with the boss, who even though I've worked for him for many years, I rarely get to see him face-to-face. Sushi across the street from Moscone is always good.
Also, at Hasan Rizvi's keynote, he made mention of a "standards based security platform for all of FMW" which is code for OPSS....solid mention.
Vikas and I finally huddled up and reviewed the demo/presentation for tomorrow. I'm excited, I think it all has come together quite nicely. Hopefully, I'll see some of you there tomorrow afternoon.
Friday, July 17, 2009
Oracle Open World 2009 - Identity Management Sessions
The list of sessions for Oracle OpenWorld 2009 is available.
I'll be presenting on Oracle Web Services Manager (OWSM) and securing FMW 11g. I was talking to Vikas last night (driving back from NJ) and the current thinking for the presentation/demo is:
MSFT .net client using Kerberos Token Profile invokes a BPEL process which in turn invokes JAX-WS WebService running on SOA Suite 11g. We'll probably use SAML (Sender vouches?) to get end-to-end identity propagation from BPEL to the final service.
I'm definately open for input/suggestions for what people would want to see. Also, I'm exceited about the opportunity to present as I'll get to continue to come-up to speed on OWSM 11g. Obviously, this will be a source for numerous postings here.
Stay tuned
I'll be presenting on Oracle Web Services Manager (OWSM) and securing FMW 11g. I was talking to Vikas last night (driving back from NJ) and the current thinking for the presentation/demo is:
MSFT .net client using Kerberos Token Profile invokes a BPEL process which in turn invokes JAX-WS WebService running on SOA Suite 11g. We'll probably use SAML (Sender vouches?) to get end-to-end identity propagation from BPEL to the final service.
I'm definately open for input/suggestions for what people would want to see. Also, I'm exceited about the opportunity to present as I'll get to continue to come-up to speed on OWSM 11g. Obviously, this will be a source for numerous postings here.
Stay tuned
Tuesday, May 19, 2009
SOA Security - Follow-up Question
I got an email from a response to a post that I did after last year's OOW.
http://oracleaccessmanagement.blogspot.com/2008/09/soa-security-adt-or-crocodile-filled.html
The question is basically - "How do I propagate the identity from inside an EJB to a Web Service using SAML, specifically how do I get the JAX-WS client to 'know' how to activate the identity propagation?"
I thought this would be a good opportunity to "kick-off" this Oracle Fusion Middleware Security blog. Just over the last year, I've happened to be working on projects that go beyond the Oracle Access Management space, so I thought I'd spin this up for some thoughts on a broader set of topics. I've been working on projects with OSB, ADF Security, WCF integration using SAML and even plain old WLS Security. I hope to post some of those "nuggets" here.
As for the answer to the question:
You can really use either a client side policy or just have the policy attached to the endpoint, and have the stub retrieve it at runtime. In theory, just having the server side policy is better because it can change without making any changes on the client. This all depends on the definition on "any". The code won't have to change, but the configuration of the WLS Security Providers may.
Once the JAAS Subejct is established via authentication/authorization to the EJB container, the services of the WLS Security Framework, including Credential Mapping, have access to it. Which credentials are generated are based on the WS-Policy of the target service.
So, assuming that the end-point is configured to use SAML (pick one of the policies from the list of supported SAML policies), the client will use the SAML Credential Mapper to generate the SAML assertion for the subject. Also, in most cases, you'll also need to set up a PKI Credential Mapper to pick the certificate used to bind the SAML Assertion into the SOAP Message by signing the request. If you're using the Holder of Key subject confirmation method, then you'll need to also use a PKI cred mapper to retrieve the end-user's certificate to be included in the SAML Assertion itself. The signing of the assertion itself is handled from the management inside of provider - this is additional protection, and not required in many intranet scenarios.
In the spirit of full disclosure, I did use a client side policy for the OOW demo, but subsequently have implemented SAML without with only server side policy. The trick there is no pass the WSDL to the proxy so that it explicitly calls the service to get the policy.
http://oracleaccessmanagement.blogspot.com/2008/09/soa-security-adt-or-crocodile-filled.html
The question is basically - "How do I propagate the identity from inside an EJB to a Web Service using SAML, specifically how do I get the JAX-WS client to 'know' how to activate the identity propagation?"
I thought this would be a good opportunity to "kick-off" this Oracle Fusion Middleware Security blog. Just over the last year, I've happened to be working on projects that go beyond the Oracle Access Management space, so I thought I'd spin this up for some thoughts on a broader set of topics. I've been working on projects with OSB, ADF Security, WCF integration using SAML and even plain old WLS Security. I hope to post some of those "nuggets" here.
As for the answer to the question:
You can really use either a client side policy or just have the policy attached to the endpoint, and have the stub retrieve it at runtime. In theory, just having the server side policy is better because it can change without making any changes on the client. This all depends on the definition on "any". The code won't have to change, but the configuration of the WLS Security Providers may.
Once the JAAS Subejct is established via authentication/authorization to the EJB container, the services of the WLS Security Framework, including Credential Mapping, have access to it. Which credentials are generated are based on the WS-Policy of the target service.
So, assuming that the end-point is configured to use SAML (pick one of the policies from the list of supported SAML policies), the client will use the SAML Credential Mapper to generate the SAML assertion for the subject. Also, in most cases, you'll also need to set up a PKI Credential Mapper to pick the certificate used to bind the SAML Assertion into the SOAP Message by signing the request. If you're using the Holder of Key subject confirmation method, then you'll need to also use a PKI cred mapper to retrieve the end-user's certificate to be included in the SAML Assertion itself. The signing of the assertion itself is handled from the management inside of provider - this is additional protection, and not required in many intranet scenarios.
In the spirit of full disclosure, I did use a client side policy for the OOW demo, but subsequently have implemented SAML without with only server side policy. The trick there is no pass the WSDL to the proxy so that it explicitly calls the service to get the policy.
Subscribe to:
Posts (Atom)
Posts
