Review: Securing containers & cloud for dummies

Securing containers & cloud (provided by sysdig) is a booklet with 42 pages and 7 chapters. Like most of the "for dummies" series the last chapter is a summary with ten considerations.

But let's start from the beginning:
Chapter one "understanding cloud security" is a really nice abstract. Here some of the topic, which you should be aware of: "overprivileged identites", "visibility over cloud assets", "leaving out IT", "former employees, one-time users and guest accounts that are left active", ... With knowing that the following proposal is made: "to dectect and stop cyber threats [..] first step is to see them". Therefore a singe event store should be used and a open-source validation because of validation an transparency.
The second chapter is named "securing infrastructure as code (IaC). The typical arguments for IaC are speed, scalabilty, resilience, reproducibility but what about security? IaC is created by the developers and this code has to be checked as well as the application sources. And even if IaC is checked, configuration templates in  a CI/CD pipeline will suffer from drift. "Policy as code PaC allows you to leverage a shared policy model across multiple IaC, cloud, and Kubernetes environments.  Not only does PaC provide consistency and strengthen security, but also it saves time and allows you to scale faster."
"Preventing Vulnerabilites" is the third chapter. Many images in production contain patchable vulnerabilites, which should be patched. So the selecting of container images from every source (including DockerHub) without scanning them is not a good idea. One subsection here is "Automate vulnerability scanning in the CI/CD pipeline". I think this is something you should read in the booklet in detail.
After scanning for threats, the next chapter is about detecting and responding to threats. This chapter is only about 3 pages and it is more an appetizer for Falco, which is a solution from sysdig.
The sixth chapter is named "Targeting monitoring and troubleshooting issues" is is plea for open source. "Avoiding Vendor Lock-In" is key to success at least from the perspective of the authors.
As in the beginning mentioned the last chapter is a ten point summary of the topic. This is a fast checklist, you can use.
 

All in all a very good high level introduction into "Securing Containers & Cloud". I recommend all DevOps engineers and developers to spend half an hour to read this booklet.

AVM Fritz.Box: how to do an automatic login and get the active WLAN devices

The AVM Fritz.Box is really a great device - but the possibilities to get monitoring data are very limited. (Please read this posting)

Which data do i want?

I want the data, which is presented in the networking tab:

If i trace the networking with the developer tools, i the the following:

To reproduce this on my command line, i have to enter this into my bash:

curl 'http://fritz.box/data.lua' 
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0' 
-H 'Accept: */*' 
-H 'Accept-Language: de,en;q=0.7,en-US;q=0.3' --compressed 
-H 'Content-Type: application/x-www-form-urlencoded' 
-H 'Origin: http://fritz.box' -H 'Connection: keep-alive' 
-H 'Referer: http://fritz.box/' -H 'Pragma: no-cache' 
-H 'Cache-Control: no-cache' 
--data-raw 'xhr=1&sid=cb......SID&lang=de&page=netDev&xhrId=cleanup&useajax=1&no_sidrenew='

(you have to add the line breaks and the SID in the last line).

Then you will get a JSON object beginning with these lines:

{
  "pid": "netDev",
  "hide": {
    "ssoEmail": true,
    "shareUsb": true,
    "liveTv": true,
    "faxSet": true,
    "dectMoniEx": true,
    "rss": true,
    "mobile": true,

and all the other information.

The problem: How to get this SID?

If you trace the login, it is not so easy, that the password is just send to the Fritz.Box. They use PBDFK2 to encrypt the password and then send it to the Fritz.Box.

You can find some information about that here:

https://avm.de/fileadmin/user_upload/Global/Service/Schnittstellen/AVM%20Technical%20Note%20-%20Session%20ID_EN%20-%20Nov2020.pdf

Inside this document a PHP program is stated, which does the login (not really - i think it does the job years ago - but now it does a fallback to md5 authentication. I fixed this, just post a comment, if you want this pbkdf2 enabled php script). I wrote a small javascript, which i execute with node and after that i was able to log the data into my influxdb and build a show it inside grafana:

If you are interested in the configuration, the js script and the collect commands, then post me a comment...

Wireguard: Status information / using the wg command

After the installation of wireguard on two servers i shut down the secondary server and after 4h i did the wg command:

root@zerberus:~# wg
interface: wg0
  public key: XXX=
  private key: (hidden)
  listening port: 46932

peer: YYY=
  endpoint: 192.168.178.54:35891
  allowed ips: 10.0.0.2/32
  latest handshake: 4 hours, 19 minutes, 2 seconds ago
  transfer: 348 B received, 436 B sent

With the "ip addr" command there is nothing really interesting:

root@zerberus:~# ip addr show wg0
5: wg0:  mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.0.0.1/24 scope global wg0
       valid_lft forever preferred_lft forever

Just to get some information about the "wg" command:

root@zerberus:~# wg help
Usage: wg  []

Available subcommands:
  show: Shows the current configuration and device information
  showconf: Shows the current configuration of a given WireGuard interface, for use with `setconf'
  set: Change the current configuration, add peers, remove peers, or change peers
  setconf: Applies a configuration file to a WireGuard interface
  addconf: Appends a configuration file to a WireGuard interface
  genkey: Generates a new private key and writes it to stdout
  genpsk: Generates a new preshared key and writes it to stdout
  pubkey: Reads a private key from stdin and writes a public key to stdout
You may pass `--help' to any of these subcommands to view usage.

and one more example:

root@zerberus:~# wg showconf wg0

[Interface]
ListenPort = 46932
PrivateKey = TTT=

[Peer]
PublicKey = XXX=
AllowedIPs = 10.0.0.2/32
Endpoint = 192.168.178.54:35891

Wireguard: Installation & configuration

To install wireguard i followed this instruction.
First step is to add the repository to your machine:

root@zerberus:~# add-apt-repository ppa:wireguard/wireguard
 WireGuard is a novel VPN that runs inside the Linux Kernel. This is the Ubuntu packaging for WireGuard. More info may be found at its website, listed below.

More info: https://www.wireguard.com/
Packages: wireguard wireguard-tools wireguard-dkms

Install with: $ apt install wireguard

For help, please contact 

Then the installion:

root@zerberus:~# apt install wireguard
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.       
Statusinformationen werden eingelesen.... Fertig
Die folgenden Pakete wurden automatisch installiert und werden nicht mehr benötigt:
  btrfs-tools geoip-database-extra libcryptui0a libjs-openlayers seahorse-daemon
Verwenden Sie »apt autoremove«, um sie zu entfernen.
Die folgenden zusätzlichen Pakete werden installiert:
  wireguard-dkms wireguard-tools
Die folgenden NEUEN Pakete werden installiert:
  wireguard wireguard-dkms wireguard-tools
0 aktualisiert, 3 neu installiert, 0 zu entfernen und 1 nicht aktualisiert.
Es müssen 640 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 4.814 kB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren? [J/n] 
Holen:1 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic/main amd64 wireguard-dkms all 0.0.20190123-wg1~bionic [551 kB]
Holen:2 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic/main amd64 wireguard-tools amd64 0.0.20190123-wg1~bionic [85,2 kB]
Holen:3 http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic/main amd64 wireguard all 0.0.20190123-wg1~bionic [4.136 B]
Es wurden 640 kB in 0 s geholt (1.307 kB/s).
Vormals nicht ausgewähltes Paket wireguard-dkms wird gewählt.
(Lese Datenbank ... 471444 Dateien und Verzeichnisse sind derzeit installiert.)
Vorbereitung zum Entpacken von .../wireguard-dkms_0.0.20190123-wg1~bionic_all.deb ...
Entpacken von wireguard-dkms (0.0.20190123-wg1~bionic) ...
Vormals nicht ausgewähltes Paket wireguard-tools wird gewählt.
Vorbereitung zum Entpacken von .../wireguard-tools_0.0.20190123-wg1~bionic_amd64.deb ...
Entpacken von wireguard-tools (0.0.20190123-wg1~bionic) ...
Vormals nicht ausgewähltes Paket wireguard wird gewählt.
Vorbereitung zum Entpacken von .../wireguard_0.0.20190123-wg1~bionic_all.deb ...
Entpacken von wireguard (0.0.20190123-wg1~bionic) ...
wireguard-dkms (0.0.20190123-wg1~bionic) wird eingerichtet ...
Loading new wireguard-0.0.20190123 DKMS files...
Building for 4.17.0-rc3
Building initial module for 4.17.0-rc3
Secure Boot not enabled on this system.
Done.

wireguard:
Running module version sanity check.
 - Original module
   - No original module exists within this kernel
 - Installation
   - Installing to /lib/modules/4.17.0-rc3/updates/dkms/

depmod.....

DKMS: install completed.
wireguard-tools (0.0.20190123-wg1~bionic) wird eingerichtet ...
wireguard (0.0.20190123-wg1~bionic) wird eingerichtet ...
Trigger für man-db (2.8.3-2ubuntu0.1) werden verarbeitet ...
root@zerberus:~# 

And then the configuration:
(i extracted the steps from the video here)

root@zerberus:~# wg genkey > /root/private.wireguard
Warning: writing to world accessible file.
Consider setting the umask to 077 and trying again.

root@zerberus:~# ls -l /root/
insgesamt 4
-rw-r--r-- 1 root root 45 Apr 27 18:55 private.wireguard

root@zerberus:~# cat /root/private.wireguard 
XXXYYYY....=
root@zerberus:~# wg pubkey  < /root/private.wireguard
ZZZAAAA...=

root@zerberus:~# ip link add wg0 type wireguard
root@zerberus:~# ip addr add 10.0.0.1/24 dev wg0
root@zerberus:~# wg set wg0 private-key /root/private.wireguard 
root@zerberus:~# ip link set wg0 up

root@zerberus:~# ifconfig
....
wg0: flags=209  mtu 1420
        inet 10.0.0.1  netmask 255.255.255.0  destination 10.0.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

All the steps up to here, have to be done on both servers.
My setup was

• server 1: "public ip" 192.168.178.39, vpn ip 10.0.0.1
  public wireguard key XXX
  wirguard port: 46932 (how to get this number, just move on)
• server 2: "public ip" 192.168.178.54, vpn ip 10.0.0.2
  public wireguard key YYY
  wireguard port: 35891

 To get the public keys and the port number use this command:

root@zerberus:~# wg

interface: wg0
  public key: XXX
  private key: (hidden)
  listening port: 46932

Then use the ip, port and public key from the secondary server:

root@zerberus:~# wg set wg0 peer 23P8GMzwpnpaw38wEERXev1jJIQlkhB/lZB35wwXVD4= allowed-ips 10.0.0.2/32 endpoint 192.168.178.54:35891

Do the some on the secondary machine with the ip, port and public key from primary server.

And after that you can check with:

root@zerberus:~# ping 10.0.0.2

PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=47.0 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=63.8 ms
^C
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 47.018/55.442/63.866/8.424 ms

I think this was much easier than setting up IPSec or OpenVPN.

Ubuntu: visudo problem / NOPASSWD option does not work for commands

It is always the same:
After installing a new Linux commands like

/usr/sbin/s2disk
/sbin/reboot

only work with entering your password everytime (or precisely: after every reboot).
This can be changed with visudo:

export EDITOR=vi; visudo

 Inside the /etc/sudoers.conf you will see:

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

And this is the problem:
First idea is to double the line

root    ALL=(ALL:ALL) ALL
schroff    ALL=(ALL) NOPASSWD: /usr/sbin/s2disk

and do the desired changes.

BUT: This will not work!

You have to add your line at the end of the file and after you exit vi (or whatever editor you have configured) it will work...

Linux: keyring-password for wlan needed / legitimate wlan login

Each time i resume my notebook after a suspend to disk-cycle the connection to WLAN hangs with the following message:

 (Die Systemrichtlinien verhinder das Bearbeiten von Netzwerkeinstellungen für alle Benutzer / Enter password for default keyring to unlock)
I tried to fix this via network-manager with adding the hook at the checkbox "Alle Benutzer dürfen dieses Netzwerk verwenden", but this did not help at all.
The point is, that after resuming my login keyring wants a authentication with password again. But this behaviour can be easily changed with the tool seahorse.
(Installation in debian with:  apt-get install seahorse)

After starting seahorse choose "File -> New" and you will get the following dialog:

 Create a new password-keyring (Passwort-Schlüsselbund) -

 Choose a name -

 and do not enter a password (this is not really secure, but if you configure your screensaver to lock your screen with a password, this should not be a problem)

 Confirm an empty password - and the you are done.

At the end you have to delete the old keyring (the one with the password):

This is done with right clicking the appropriate item...

After all this steps you should not see this legitimate-popup anymore...

Password policies: enforcing digits/uppercase letters using pam-config

Since my last posting about password policies on debian, i got several mails with the following question:

How to configure pluggable authentication modules (pam) with the command pam-config?

This is neccesary because some linux distributions add the following header on all files inside /etc/pam.d/:

# This file is autogenerated by pam-config. All changes
# will be overwritten.

Running pam-config --help shows 155 lines. For newbies this is completely unreadable. Querying the net with google gives the manpage but no examples...
So let's start.
To get the actual password check method run the following command:

# pam-config -q --pwcheck
password: nullok cracklib

This was easy. So just add am ucredit-rule:

# pam-config -a --cracklib-ucredit=-2 --cracklib
INFO: pam_pwcheck.so und pam_cracklib.so aktiviert,
INFO: nur pam_pwcheck.so mit aktivierter Cracklib-Unterstützung wird benutzt.

Hmm. pwcheck has to be removed. Not really difficult:

# pam-config -d --pwcheck

After that, retry  the command with ucredit:

# pam-config -a --cracklib-ucredit=-2 --cracklib

And how can you check, that it has really worked?

# pam-config -q --cracklib
password: ucredit=-2

Here the complete reference of pam-config:

 # pam-config --help
Anwendung: pam-config -a|-c|-d [...]
pam-config - Erstelle PAM-Konfigurationsdateien.

  -a, --add         Füge Optionen/PAM-Module hinzu.
  -c, --create      Erstelle neue Konfiguration.
  -d, --delete      Entferne Optionen/PAM-Module.
      --confdir     Benutze ein benutzerdefiniertes Konfigurations-Verzeichnis
      --initialize  Konvertiere alte Konfiguration and erstelle neue.
      --service config  Dienst zum modifizieren der Konfiguration von
      --update      Lese momentane Konfiguration und schreibe sie neu
  -q, --query       Anfrage für installierte Module und Optionen
      --list-modules Zeige alle unterstützten Module
      --help        Gibt diese Hilfeliste aus
  -u, --usage       Gibt eine kurze Gebrauchsanweisung aus
  -v, --version     Ausgabe der Programmversion

Globale Modul-Optionen:
      Die globalen Module werden eingesetzt in die
      common-{account,auth,password,session}-Dateien, welche in den einzelnen
      Dateien der Dienste beinhaltet sind.
   --apparmor
   --apparmor-debug
   --ccreds
   --cracklib
   --cracklib-debug
   --cracklib-type=<value>
   --cracklib-retry=<value>
   --cracklib-difok=<value>
   --cracklib-difignore=<value>
   --cracklib-minlen=<value>
   --cracklib-dcredit=<value>
   --cracklib-ucredit=<value>
   --cracklib-lcredit=<value>
   --cracklib-ocredit=<value>
   --cracklib-minclass=<value>
   --cracklib-dictpath=<value>
   --env
   --env-debug
   --env-conffile=<value>
   --env-envfile=<value>
   --env-readenv=<value>
   --fp
   --fp-debug
   --gnome_keyring
   --gnome_keyring-auto_start
   --gnome_keyring-auto_start_if=<value>
   --group
   --krb5
   --krb5-debug
   --krb5-ignore_unknown_principals
   --krb5-minimum_uid=<value>
   --ldap
   --ldap-debug
   --limits
   --limits-debug
   --limits-change_uid
   --limits-utmp_early
   --limits-conf=<value>
   --localuser
   --localuser-debug
   --localuser-file=<value>
   --make
   --make-debug
   --make-nosetuid
   --make-make=<value>
   --make-log=<value>
   --make-option=<value>
   --mkhomedir
   --mkhomedir-debug
   --mkhomedir-silent
   --mkhomedir-umask=<value>
   --mkhomedir-skel=<value>
   --nam
   --pkcs11
   --pkcs11-debug
   --pkcs11-configfile=<value>
   --pwcheck
   --pwcheck-debug
   --pwcheck-nullok
   --pwcheck-cracklib
   --pwcheck-no_obscure_checks
   --pwcheck-enforce_for_root
   --pwcheck-cracklib_path=<value>
   --pwcheck-maxlen=<value>
   --pwcheck-minlen=<value>
   --pwcheck-tries=<value>
   --pwcheck-remember=<value>
   --pwhistory
   --pwhistory-debug
   --pwhistory-use_authtok
   --pwhistory-enforce_for_root
   --pwhistory-remember=<value>
   --pwhistory-retry=<value>
   --pwhistory-type=<value>
   --selinux
   --selinux-debug
   --ssh
   --ssh-debug
   --ssh-nullok
   --ssh-try_first_pass
   --ssh-keyfiles=<value>
   --thinkfinger
   --thinkfinger-debug
   --umask
   --umask-debug
   --umask-silent
   --umask-usergroups
   --umask-umask=<value>
   --unix
   --unix-debug
   --unix-audit
   --unix-nodelay
   --unix-nullok
   --unix-shadow
   --unix-md5
   --unix-bigcrypt
   --unix-not_set_pass
   --unix-nis
   --unix-broken_shadow
   --unix-remember=<value>
   --unix2
   --unix2-nullok
   --unix2-debug
   --unix2-trace
   --unix2-none
   --unix2-call_modules=<value>
   --unix2-nisdir=<value>
   --winbind
   --winbind-debug

Dienst-spezifische Modul-Optionen:
      Diese Module können nur zu einzelnen Dienst-Dateien hinzugefügt werden.
   --ck_connector
   --ck_connector-debug
   --cryptpass
   --csync
   --csync-use_first_pass
   --csync-try_first_pass
   --csync-soft_try_pass
   --csync-nullok
   --csync-debug
   --csync-silent
   --lastlog
   --lastlog-debug
   --lastlog-silent
   --lastlog-never
   --lastlog-nodate
   --lastlog-nohost
   --lastlog-noterm
   --lastlog-nowtmp
   --lastlog-noupdate
   --lastlog-showfailed
   --loginuid
   --loginuid-require_auditd
   --mount

Password policies on debian linux: dcredit? pam_cracklib.so?

Ok, nearly everybody knows pam:

PAM = Pluggable Authentication Modules

The linux-pam homepage states "Basically, it is a flexible mechanism for authenticating users." But is there an easy way to enforce password policies within this pam mechanism?

It is not really difficult, if you know where to look:
Open /etc/pam.d/common-password (debian) and read

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.

The two next two lines are:

password required pam_cracklib.so retry=3 minlen=6 difok=3
password required pam_unix.so use_authtok nullok md5

and pam_cracklib.so can be installed via

apt-get install libpam-cracklib

At the first line add

dcredit=-4 lcredit=-2 ucredit=-1

This translates to dcredit=-4 (4 digits required), lcredit=-2 (2 letter lowercase required), ucredit=-1 (1 letter uppercase required). For a full list of parameters look here.

Linux: hash algorithms for passwords inside /etc/shadow

You read the headline and you are sure that this is easy to answer?
I was thinking the same: Just a MD5-hash inside this /etc/shadow file.

But this is not true anymore:
You can use several hash algorithms inside /etc/shadow like

• MD5
• blowfish
• DES
  
• SHA-256
• SHA-512
  

Inside /etc/shadow you can see the following:

schroff:$1$<String1>$<String2>:0:99999:7:::

$1$ stays for MD5, $2a$ for blowfish, $5$ for SHA-256, $6$ for SHA-512. The <String1> contains a salt and <String2> the hashed password.
The other values can be easily interpreted (and changed) with the following command:

schroff@hades:$ chage -l schroff
Letzte Passwortänderung : Feb 01, 2009
Passwort läuft ab : nie
Passwort inaktiv : nie
Benutzerzugang läuft ab : nie
Minimale Anzahl der Tage zwischen Passwortänderungen : 0
Maximale Anzahl der Tage zwischen Passwortänderungen : 99999
Anzahl Tage, an denen vor Passwortablauf gewarnt wird : 7

And where can the hash algorithm be changed? This depends on the linux you are using:

• /etc/pam.d/common-password (Debian)
• /etc/default/password (SUSE/Novell)

Is there a way to generate this passwords via command line? Yes, with debian package makepasswd (but only for MD5):

echo "mypasswd" | makepasswd --crypt-md5
$1$r2elYKyB$vUr/Ph.brKTldM2h2k8J5.

But this will not work via copy and paste inside /etc/shadow ;-(
To change password via script some linux distribution can use:

echo oracle:mypasswd | chpasswd

or

echo -n mypasswd | passwd --stdin oracle

Oracle Web Service Manager: extract...

The last blog posting must have been read be someone from PACKT publishing, because today i was given a extract of the Oracle Web Service Manager book to publish on my blog!
So for all interested readers here an extract of chapter 6 "Digitally Signing and Verifying Messages in Web Services":

....

If you want read more, follow the link to complete chapter 6 or buy this book ;-)

Review at amazon: Oracle Web Services Manager

On the weekend i read this book:

It is a good book for OWSM beginners and administrators. It explains the basics of WS*-security. For a short introduction read my posting from last year. The book shows many screenshot for configuring OWSM for e.g. Active Directory.
Here the link to my review.
The product description states:

This book not only describes the need for Web Services security but also explains with detailed examples how to define security policies and enforce those policies using Oracle Web Services Manager. This book emphasizes how to use Oracle WSM to address various security use cases with detailed step-by-step examples to learn Oracle Web Service Manager. This is the book for those who want to learn how to Secure web services and Use Oracle WSM to configure web services security. It is mainly for Developers and Architects who want to learn how to use Oracle WSM to address the security challenges of web services and those who want to learn how to use Oracle WSM to address their security needs. If you have a basic knowledge of Web Services then this book will help you understand the need for security and how to use Oracle WSM to address the security challenges.

Security and SOA

In an service oriented architecture the deployments of webservices and bpels have become more and more complex. This creates additional challenges for securing applications or message exchange.
You can use an old, mature standard to address these challenges:
transport-level security. With SSL it is very easy to secure the data . But this solution gets a little bit difficult, if you want to implement message routers, which should look into the payload. You have to distribute certificates to all routers. This is not feasible for large installations involving many department or many contractors...

Is this all? No! There are some new options like the WS-* specifications...
Now you will say: "Ok, these WS-* things are very helpful. I like the WS-makeitfast and WS-generateitwithoutwork..."
You can find a diagram which shows all this WS-* specifications here (from www.innoq.com)
Yes there are many WS-* specifications and here the attempt to explain WS-Security. To achieve this goal we have to start with two other specifications:

1.) XML Encryption can encrypt the whole element (example from www.w3.org):

  <?xml version='1.0'?>
  <PaymentInfo xmlns='http://example.org/paymentv2'>
    <Name>John Smith</Name>
    <CreditCard Limit='5,000' Currency='USD'>
      <Number>4019 2445 0277 5567</Number>
      <Issuer>Example Bank</Issuer>
      <Expiration>04/02</Expiration>
    </CreditCard>
  </PaymentInfo>

or just the content:

  <?xml version='1.0'?>
  <PaymentInfo xmlns='http://example.org/paymentv2'>
    <Name>John Smith</Name>
    <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element'
     xmlns='http://www.w3.org/2001/04/xmlenc#'>
      <CipherData>
        <CipherValue>A23B45C56</CipherValue>
      </CipherData>
    </EncryptedData>
  </PaymentInfo>

2.) XML Signature can add a signing entity (example from www.w3.org):

<Signature Id="MyFirstSignature"  
xmlns="http://www.w3.org/2000/09/xmldsig#"> 
 <SignedInfo> 
  <CanonicalizationMethod  
      Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> 
  <SignatureMethod 
      Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> 
  <Reference 
      URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> 
   <Transforms> 
    <Transform Algorithm="http://www.w3.org/TR/2001/
        REC-xml-c14n-20010315"/> 
   </Transforms> 
   <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
   <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue> 
  </Reference> 
 </SignedInfo> 
 <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> 
 <KeyInfo> 
  <KeyValue>
   <DSAKeyValue> 
<P>...</P><Q>...</Q><G>...</G><Y>...</Y> 
   </DSAKeyValue> 
  </KeyValue> 
 </KeyInfo> 
</Signature>

WS-Security is using XML Encryption to provide confidentiality and XML Signature to provide data integrity. The SOAP headers of WS-Security can be enhanced for authentication purposes with X.509 certificates, kerberos tickets, SAML or some others....

Oracle support WS-Security and there was a very nice article at Oracle magazine where Mike Lehmann explained how to use WS-Security with JDeveloper.

So with Oracle AS 10g and JDeveloper you can easily secure your SOA and the webservices with SSL or WS-Security....

Oracle Security

This evening i googled a little bit, looked into some blogs and suddenly i thought about webservices and security... What about using SOAP with SSL?
The the first step should be to configure the Oracle HTTP Server with SSL.
This sounds very easy, so i took a look at the documentation. Brrr...

There was nothing useful. Only something like: "on the menu bar choose wallet manager"
BUT how can i choose this on the Linux or UNIX server?
After a long search i found this nice documentation.

I do not know, wether it is the right version and so on, but just the information that the cli is owm was enough...
Perhaps i will try it tomorrow evening or not, but now i know how to start and this is quite enough.