We are implementing a web service on WCF. The service is consumed by Oracle weblogic. Communication is done through mutual authentication over HTTPS. The only way the communication is successful is when JSSE is enabled on Weblogic server. However this makes other web services incompatible. Is there a way to enable JSSE on the web service level instead of the server level?
In other words, we need the Weblogic server to enable JSSE only for this specific web service.
Related
I have a spring boot application which runs on Azure Kubernetes Service and it exposes a private IP, using this IP I have configured this API on Azure API Manager. All the traffic will be coming to this spring boot application via API manager. Client to APIM connection is secured with SSL certificate coming from azure API manager. But from API manager to back end API application is not secured it is plain http. Is there any security issues for this architecture?
For your situation, since you already use SSL certificate to protect your APIM, I think the architecture is no problem even though there isn't any security configuration between APIM and backend api. APIM will not expose your backend, so others can't get your backend IP or backend url according to the APIM. So I think you do not need to add any other security configuration for your architecture.
For the comment about Azure AD mentioned by Tiny, you can also use Azure AD to protect your api or APIM, but I think it is unnecessary.
I am creating a Spring Boot application with oauth2 (openid Connect with ADFS) authentication.
The application's server and the ADFS server reside in two different private networks that cannot communicate with each others.
The client (web browser) resides in a third network that can connect to the two others.
Is it possible to set up open id in this configuration?
I cannot figure out how to configure the SpringBoot application to avoid communication between the two servers, like it is with Saml for instance.
you could consider to use OpenID Connect implicit flow which avoids direct communication between application server and identity provider.
We have integrated API Management with Service Fabric in Azure as outlined in this document. Everything is up and running, but we would like to ensure that the traffic between API Management and Service Fabric Stateless Service (ASP.NET Core) is encrypted using HTTPS. Currently the API Management logs show that the traffic is HTTP.
Is there a way to enable HTTPS (or at least encrypted) traffic between API Management and Service Fabric?
APIM gets those http endpoint from SF itself by calling IServiceResolutionClient.ResolveServicePartitionAsync. Are you sure your stateless service is configured with HTTPS scheme at Service Fabric end?
I'm attempting to establish a discovery server with spring cloud Eureka which needs to connect to a secured client. I understand how to secure the Eureka sever itself - that isn't the issue. The issue is in the other direction - how to get Eureka to successfully communicate with a client service that itself is secured.
In other words; I have a discovery client that registers itself with Eureka. That client implements http basic authentication. It can and does successfully register itself with the discovery service, however when I attempt to utilize that service with a lookup to the discovery service, I get authentication failures (on the client service itself) which of course makes sense because I haven't specified any credentials anywhere and have no idea how to do so. Any assistance would be greatly appreciated.
Guessing from your tags you are using spring-cloud.
When you use your service (with RestTemplate or Feign or manually looking up and interacting with it), your request has nothing to do with Eureka. Eureka only provides you information about your services whereabouts. Once you (or some undelying logic) obtained the address of the service, you are directly communicating with it.
Is it possible to configure Oracle SOA composite service for authentication by client certificate? For instance, we have Oracle composite service and WCF service. Composite service should be ensured that only clients with valid certificate have access. How does it should be configured?
You can configure 2-way SSL on weblogic server which hosts Oracle SOA suite. This ensures that only certified clients can make use of your service.
Other option is to use OWSM policies which can be configured for each service. Here is a good link to start with
http://docs.oracle.com/cd/E15523_01/integration.1111/e10226/soacompapp_secure.htm