Description

We have a customer who are trying to establish 20+ integration's(including BI
Services) built across multiple product pillars (HCM,Finance,Procurement)
between 2 third party system and Oracle cloud. SOA Cloud is the middleware ,
all bpel processes/transformations/web service calls happens through SOA
Cloud.

When there are integration failures due to data/setup issues, emails are sent
to super users/product pillar owners who would analyse the issue and resubmit
the interface by logging into SOA Cloud.

In SOA Cloud , username/passwords would be part of credential store and these
super users doesn't have access to them. But, with this specific report
service - runReport method (ReportService.runReport() ), as the credentials
are part of the payload, users are able to view them.

Users are not expected to view application usernames and passwords from SOA
Cloud. If they are allowed, they could use the same for logging into the
application , which is obviously a security threat.

And for this the customer has a strong use case where providing the feature
to encrypt username and passwords would alleviate this security threat.
 

Use Case and Business Need

Integrating Oracle product Cloud with third party products to achieve custom
business needs by using SOA cloud is proving tricky for the user since using
the webservice (ReportService.runReport() ) provided by BIP exposes the user
data to the superusers who are not supposed to see it.So this feature is very
critical as any kind of integration they want to do depends on it being
secure.

More details

ENH 27220420 - WEBSERVICES SHOULD PROVIDE ENCRYPTION SECURITY EATURE FOR USERNAME AND PASSWORDS

3-16260927741 - Report Service Security Issue

Original Idea Number: 861949a72c