Wednesday, December 6, 2017

WS-Security vs SSL/TLS Security with reference to WebServices

SSL/TLS encrypts at transport level; WS-Security encrypts at message level. SSL/TLS provides in-transit security only. This means that the request is only encrypted while it is travelling from client to server (or back). ... WS-Security maintains the encryption until the moment when the request is processed. SSL/TLS secure messages at HTTP level whereas WS-Security at XML level. In performance-wise SSL is very much faster than WS-Security.

Please note that REST-based WebServices inherits security measures from the underlying transport level security.

Limitation with SSL/TLS

1.      SSL/TLS is at point-to-point whereas WS-Security is at end-to-end, where multiple intermediary nodes (WebServers, Load balancer, proxy server etc) could exist between the two endpoints.
2.      SSL/TLS does not provide Know-Your-Customer (KYC) whereas WS-Security provides this feature.
3.      SSL does not provide element-wise signing and encryption. For example, if you have a large purchase order XML document, yet you want to only sign or encrypt a credit card element, signing or encrypting only that element with SSL proves rather difficult. Again, that is due to the fact that SSL is a transport-level security scheme as opposed to a message-level scheme.


We can configure transport level security and message level security without configuring SSL/TLS at server level  then you need to configure SSL/TLS WSM policy at WebService level for example oracle/wss_http_token_over_ssl_service_policy.

Monday, October 30, 2017

How to configure secure RIDC port in WebCenter Content?

An SSL Incoming Provider is leveraged and instantiated to create an SSL server socket to which Intradoc clients (WCC UI, WCP etc) can connect, and whereby traffic is encrypted. The provider can be configured with or without requiring client authentication (the WCC UI Managed Server is a client of Content Server). When client authentication is not required, the JAVA RIDC client making the connection to the SSL server socket (Intradoc secure-socket port) does not need to present a valid certificate. This mode is not very different from a normal, non-SSL Intradoc connection. The main difference, however, is that traffic is encrypted and cannot be viewed by packet capture, and so on, in the clear. Client authentication means that the client must supply a valid SSL certificate signed by an authority that is in the server's trust store. 
Pre-requisites
1.       Oracle WebCenter Content (WCC) 12.2.1 is installed
2.       WCC domain is created and all servers are running.
3.       RIDC non-SSL port is configured and IDC is running on 4444.
Steps:
1.       Create the SSL incoming socket provider of sslincoming provider type



Provider Name:
sslkeepaliveincomingprovider
Provider Description:
For RIDC over SSL


Provider Type:
sslincoming
Provider Class:
idc.provider.ssl.SSLSocketIncomingProvider
Provider Connection:
idc.provider.KeepaliveSocketIncomingConnection 
Server Thread Class:
idc.server.KeepaliveIdcServerThread
Server Port:
4445


Request Client Authentication:
No
Require Client Authentication:
No


Keystore File Path:
/oracle/app/keystores/wcc_keystore.jks
Alias:
Dev1WCC
Truststore File Path:
/oracle/app/keystore/wcc_trust.jks



Note:
a. Please note that RIDC non-secure port and RIDC secure port should be different and must have required firewalls rules.
b. If you want client authentication then check the “Require Client Authentication” from the SSL incoming provider. Then you must configure keystore for your client.

2.       Restart the WCC managed server. Make sure that sslincoming provider is in good state.
Once you finished with above steps, IDC server is configured for RIDC secure (SSL) port and you can use idcs protocol for any client.
Verification:
1.       Check SSL is configured
openssl s_client -connect wcchost1:4445

CONNECTED(00000003)
depth=2 C = AU, ST = NSW, L = Sydney, O = myCompany, OU = Digital Certificates Security Services, CN = Imran Mirza
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=AU/ST=New South Wales/L=Sydney/O= O = myCompany, OU = Digital Certificates Security Services, CN = Imran Mirza

2.       Check the IDC Service PING_SERVER
You will see output like:
<?hda version="12.2.1.2.0-2017-07-05 09:25:44Z-r155055" jcharset="UTF8" encoding="utf-8"?>
@Properties LocalData
IdcService=PING_SERVER
IsAllowAnonymous=1
IsJava=1
StatusMessage=You are logged in as ‘weblogic’.

3.       You can configure idcs connection url in any RIDC client for example WCC UI app:

updateRIDCConnection('Oracle WebCenter Content – Web UI',
'WccAdfServerConnection',connUrl='idcs://wcchost1:4445',
credUsername='sysadmin')