Mark O'Neill

I had a really good discussion with Kaitlin Brunsden from EbizQ on the topic of Cloud Security in general, and API Keys in particular. All too often, CISOs and IT managers do not realize that if their organization is using Amazon Web Services (AWS), for example, then the Secret Key ID used to authenticate to AWS is often sitting on a hard drive or coded into an application. This Secret Key ID, in combination with the Access Key ID (which is readily available through traffic logs) can be used by a malicious user to provision or terminate virtual machines, to access data in Cloud-based queues or databases, or just simply to run up a large charge which will then hit the credit card linked to the API keys. Vordel can help, by protecting the API keys in the same way that our products protect keys used in other contexts (e.g. private keys for SSL). The podcast is here: ... (more)

Signing a SAML Assertion

Signing a SAML assertion in the Vordel XML Gateway is quite straightforward. Firstly, you'll need a private key. Note that it is the private key which is used for signing. The public key (usually contained within an X.509 public key certificate) is used for the signature validation, and can be inserted into the XML Signature block, but it is the private key which is used for the actual signing. Here is a link to information about how to create a public and private key pair in Vordel SOAPbox or the Vordel Policy Studio. You can also, of course, import a private key (or a certificate... (more)

More SAML: Validating a SAML 2.0 Assertion

It's simple to setup the validation of a signed SAML 2.0 assertion in a Vordel XML Gateway. In a circuit, chain together (1) an "XML Signature Verification" filter (which you can find in the "Integrity" group on the right-hand-side of Policy Studio), and (2) a "SAML Authentication" filter (which you can find in the "Authentication" group). With XML Signature Verification filter, make sure that the SAML assertion is selected under "What must be signed". In the filter to validate the SAML assertion, make sure that it's a SAML 2.0 assertion. Really what we are doing here is first veri... (more)

Scriptable Command-Line Testing of Web Services

Did you know that with the free SOAPbox tool and with Vordel's XML Gateway you get a command-line tool which will send traffic to a Web Service and simulate load? Check it out yourself. The tool is called "SR" (Service Request)). With its parameter options it allows you to perform a load test, to send an attachment, and to perform SSL. After it runs its test, it presents you with statistics about the response times from the Web Service. It's a good part of any SOA or Cloud API practitioner's tool-belt. ... (more)

Vordel Party at Oracle Open World

Oracle Open World is bigger than ever this year, encompassing JavaOne and Oracle Develop. And Vordel is making it even bigger with our party on Wednesday evening at Townhall on Howard Street, just a short walk from the Moscone Center. The evening includes a conversation-starting talk by Sarah Friar, analyst from Goldman Sachs who provides insightful comment on Oracle and also Cloud Computing. Do Oracle and Cloud Computing go together like cocktails and canapés? Discuss this with Sarah and others over actual cocktails and canapés on September 22nd. Click on the image below to re... (more)