This chapter will demonstrate how to implement basic Runtime Governance using the standard tools that are shipped with the Oracle SOA and Governance products. The chapter will describe how to use Oracle Web Services manager to implement security policies for running services, how to monitor services and policy compliance using Oracle Enterprise Manager Fusion Middleware Control, and also how to harvest runtime metrics into OER therefore achieving close-loop governance.
This use case extends Chapter 8, Design-time Service Promotion and Discovery and details on how to implement Runtime Governance for the deployed services. These services enable Weir & Bell to enhance its supply chain process by exposing key business services for consumption by the third parties.
Exposing services into untrusted networks for the third parties to use implies that extra security measures have to be taken into consideration, to protect Weir and Bell core systems from unauthorized access and other external threads such as:
- Denial of Service attacks (DoS)
- Malicious SOAP or REST requests
- XPath and XQuery injections
- XML Injections
- Cross-site encrypting (XSS)
- Other threads such as the OWASP top 10 (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)
In order to enforce security and protect internal systems from such threats, Weir and Bell decided to implement three lines of defense:
- First Line of Defense (or Perimeter Security): Located in the Demilitarized Zone (DMZ), Oracle's API Gateway was introduced to serve as a Policy Enforcement Point (PeP), and protect the internal services against all major external threads. Oracle API Gateway (OAG) advanced security features such as advance throttling capability, multi-protocol conversions (for example, native transformation between SOAP and REST/JASON, among others), support for all major security standards such as WS-Security, WS-Policies, and OAuth, made it an ideal fit to support this requirement.
Tip
This book does not cover the implementation of OAG. We recommend referring to the Oracle API Gateway site for further information on this product: http://www.oracle.com/us/products/middleware/identity-management/api-gateway/overview/index.html
- Second and Third Line of Defense (or Green Zone): Located in the internal network, Web Service manager was introduced as an extra layer of security between the DMZ and the internal services. The idea behind adding an extra layer of security was not only to protect against systems located in the DMZ that may have been compromised, but also to protect against internal security threads. While these are usually less sophisticated than structured external threads, they still pose a considerable threat to the enterprise.
Furthermore, Weir and Bell recognized that the lifetime of a service does not end once it is deployed into production. By continuously monitoring the performance of a service and capturing meaningful runtime metrics in OER, it is possible to determine whether a service is delivering its desired value, and whether it requires either improvement or retirement.
Subsequent chapters will describe how to:
- Use Oracle Enterprise Manager Oracle Fusion Middleware Control and the WebLogic Console to monitor the health of an SOA infrastructure and its services
- Implement Web Service Manager Security policy to Oracle SOA Suite and OSB services
Harvesting of runtime metrics into OER will be covered in the next chapter.