Encrypt Sensitive Data in Oracle SOA 12c
In this post we will explore the option to handle the sensitive data in SOA composite.
For example, Consider a scenario for creating the employee record which has SSN as one of the element. If we do not apply the encryption for this sensitive data, then we might risk compliance issues as this data might be available in Custom Logs/SOA audit logs and visible to anybody.
Unlike Oracle SOA 11g, Oracle SOA 12c provide a easy feature to encrypt this sensitive data.
To demo, we will create a dummy XSD with two elements i.e. Emp Name and SSN.
The composite simply take the Name/SSN as a input and save the data in table.
For saving the data in table I just created a DB adaptor. In most of scenario, you might end up calling another system.
If we run this simple composite by passing some data, and if we look for the soa instance in EM console, the SSN will be clearly visible.
Below are the steps to apply the message encryption from JDEV:
1. Open the composite in JDEV.
2. Right on the Inbound Partner Link -> Encrypt Sensitive Data
3. Click on "oracle/pii_security_policy" and click Edit
4. Set the XPATH for input/output elements which need to be encrypted
5. You might consider cloning the policy if it need to be used in Multiple composites with different parameters.
Note: The clone policy cannot be configured from JDEV, we need to configure it from EM console.
If you need to override clone properties at runtime, we can do via WLST scripts. Please refer below documentation.
Ref: (Configuring Secure Conversation Using WLST)
https://docs.oracle.com/middleware/1213/owsm/security/configure-secureconv.htm#OWSMS5360
6. To configure the CSF key on your environment. By default the CSF key is "pii-csf-key".
You can add the CSF key either from EM console or from Jdev.
If the key is not present on your server then you will get below error.
InvalidSecurity : error in processing the WS-Security security header
Once you deploy this composite, and if we retest, we should see that the SSN element is encrypted.
Note: As the current policy, the Encrypted elements need to be Decrypted before leaving the current composite i.e. another composite will not be able to decrypted it.
Thus in this example, if I do not drcrypt the SSN then in Database it will be stored in encrypted format which will be of no use.
To configure decryption:
7. Right Click on outbound partner link, and you should see Decrypt Sensitive Data option
8. Select the element you want to decrypt, this time it will be the transformed element.
Thus as you can see, it is much easier to implement message level security as compared to 11g.
For example, Consider a scenario for creating the employee record which has SSN as one of the element. If we do not apply the encryption for this sensitive data, then we might risk compliance issues as this data might be available in Custom Logs/SOA audit logs and visible to anybody.
Unlike Oracle SOA 11g, Oracle SOA 12c provide a easy feature to encrypt this sensitive data.
To demo, we will create a dummy XSD with two elements i.e. Emp Name and SSN.
The composite simply take the Name/SSN as a input and save the data in table.
For saving the data in table I just created a DB adaptor. In most of scenario, you might end up calling another system.
If we run this simple composite by passing some data, and if we look for the soa instance in EM console, the SSN will be clearly visible.
Below are the steps to apply the message encryption from JDEV:
1. Open the composite in JDEV.
2. Right on the Inbound Partner Link -> Encrypt Sensitive Data
3. Click on "oracle/pii_security_policy" and click Edit
4. Set the XPATH for input/output elements which need to be encrypted
5. You might consider cloning the policy if it need to be used in Multiple composites with different parameters.
Note: The clone policy cannot be configured from JDEV, we need to configure it from EM console.
If you need to override clone properties at runtime, we can do via WLST scripts. Please refer below documentation.
Ref: (Configuring Secure Conversation Using WLST)
https://docs.oracle.com/middleware/1213/owsm/security/configure-secureconv.htm#OWSMS5360
6. To configure the CSF key on your environment. By default the CSF key is "pii-csf-key".
You can add the CSF key either from EM console or from Jdev.
If the key is not present on your server then you will get below error.
InvalidSecurity : error in processing the WS-Security security header
Note: As the current policy, the Encrypted elements need to be Decrypted before leaving the current composite i.e. another composite will not be able to decrypted it.
Thus in this example, if I do not drcrypt the SSN then in Database it will be stored in encrypted format which will be of no use.
To configure decryption:
7. Right Click on outbound partner link, and you should see Decrypt Sensitive Data option
8. Select the element you want to decrypt, this time it will be the transformed element.
Thus as you can see, it is much easier to implement message level security as compared to 11g.