This discussion is archived
1 Reply Latest reply: May 28, 2013 10:55 AM by Jani Rautiainen RSS

Fusion SaaS Inbound Integration Security Questions -- UCM, FBL and BIP

user622533 Newbie
Currently Being Moderated
Hi,

We are building a tool to automate inbound interfaces using Data Loader (File Based Loader 1.3). The targeting Release 8. The tool will perform the following

1.     Upload and check in data file (in Data Loader template format) to UCM either via Java API oracle.ucm.client.UploadTool or UCM Web Service GenericSoapService
2.     Execute the DataLoader job for the above file by calling Web Service LoaderIntegrationService
3.     Retrieve batch load status by calling BI Publisher Web Service ReportService (custom BIP data model). Handle any errors by parsing the XML report output.

We have done a POC in Release 7 and it is working.

However for a Production solution we need to consider the security aspect to these service / API calls. The client wishes to use SAML authentication.

Questions:
•     Can the external services (UCM,HCM and BIP) be IP restricted?
•     Can SaaS customers use the UCM Web Service GenericSoapService to check in files for loading (Release 7 onwards)? In the POC we used the Java API oracle.ucm.client.UploadTool.
•     I understand that all External HCM services including LoaderIntegrationService implement security policy wss11_saml_or_username_token_with_message_protection_service_policy.
Can the UCM upload Web Service be configured to implement the same security policy?
•     Can the BI Publisher ReportService be configured to implement security policy wss11_saml_or_username_token_with_message_protection_service_policy?
•     Therefore will it be possible to use either SAML or Username and password authentication for the above services or the UCM Java API?

Regards,

John
  • 1. Re: Fusion SaaS Inbound Integration Security Questions -- UCM, FBL and BIP
    Jani Rautiainen Journeyer
    Currently Being Moderated
    • Can the external services (UCM,HCM and BIP) be IP restricted?
    --> Depends on the services called, if they support OWSM then one way would be [url http://docs.oracle.com/cd/E28280_01/web.1111/e13882/extgd_samples.htm#CIHEEJHD]custom OWSM assertion, if not suitable can you elaborate on the requirement?
    • Can SaaS customers use the UCM Web Service GenericSoapService to check in files for loading (Release 7 onwards)? In the POC we used the Java API oracle.ucm.client.UploadTool.
    --> Not sure what the question is; is the concern whether the service is available in release 7, whether it provides specific feature ("check in files for loading") or whether it supports OWSM policies ?
    • I understand that all External HCM services including LoaderIntegrationService implement security policy wss11_saml_or_username_token_with_message_protection_service_policy.
    Can the UCM upload Web Service be configured to implement the same security policy?
    --> In general policies attached to WS can be managed using [url http://docs.oracle.com/cd/E23943_01/web.1111/b32511/attaching.htm#CEGDGIHD]Fusion Middleware Control or the WebLogic Scripting Tool (WLST). The [url http://docs.oracle.com/cd/E14571_01/doc.1111/e10807/web_services001.htm]documentation states for UCM:
    >
    The generic Oracle UCM Web Services are JAX-WS based and can be assigned OWSM policies and managed by OWSM. The native Oracle UCM Web Services are SOAP based and can only support WS-Policy policies managed through the Oracle WebLogic Administration Console.
    >
    So support depends on the service that you use.
    • Can the BI Publisher ReportService be configured to implement security policy wss11_saml_or_username_token_with_message_protection_service_policy?
    --> I am not sure about this, if I remember correctly the BI publisher is using the same OPSS framework for identities, however I think there were differences on the security implementation though. The [url http://docs.oracle.com/cd/E28280_01/bi.1111/e22259/toc.htm]documentation for the [url http://docs.oracle.com/cd/E28280_01/bi.1111/e22259/reportservice.htm#T569713]ReportService does not provide the details so I would need to contact colleagues on this.
    • Therefore will it be possible to use either SAML or Username and password authentication for the above services or the UCM Java API?
    --> This depends on the services used, each service used needs to be evaluated whether OWSM policies are supported. For specifics for the services I would need to contact a colleagues with expertise on them, can you provide exact details of each of the service you are planning to use ?

    --
    Jani Rautiainen
    Fusion Applications Developer Relations
    https://blogs.oracle.com/fadevrel/

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points