Upload
rajbl111
View
225
Download
0
Embed Size (px)
Citation preview
8/6/2019 Soa Interoperability and Security 4668
1/65
SOA, Interoperability
and Security
All roads lead to web services
security
Nataraj Nagaratnam, Ph.D.,IBM Distinguished Engineer
Chief Architect, Identity and SOA Security, Tivoli, Software Group, IBM
8/6/2019 Soa Interoperability and Security 4668
2/65
Agenda
Service Oriented Architecture and Interoperability Role of Web Services
SOA Security Considerations
Web Services Security
Standards Roadmap
Message security Policy
Trust, Authorization
8/6/2019 Soa Interoperability and Security 4668
3/65
10/23/2007 Template Documentation 3
SOA and Interoperability
8/6/2019 Soa Interoperability and Security 4668
4/65
What is SOA? a service?
A repeatablebusiness task
e.g., check
customer credit;open new account
service oriented
architecture (SOA)?An IT architecturalstyle that supports
integrating your
business as linkedservices
8/6/2019 Soa Interoperability and Security 4668
5/65
10/23/2007 Template Documentation 5
What is the SOA model?Business Componentization
Re-defining todays monolithic enterprise
processes as a set of standardized
modular business process components
Business Componentization
Re-defining todays monolithic enterprise
processes as a set of standardized
modular business process components
Service Oriented Architecture
An IT model which mirrors the interactionof business components through a set of
IT applications implemented as real-time
services that interact dynamically
Service Oriented Architecture
An IT model which mirrors the interactionof business components through a set of
IT applications implemented as real-time
services that interact dynamically
Business
components
SOA application
components *
Web Services
A set of vendor neutral and platform
agnostic standards that can be used to
define how SOA components interact
Web Services
A set of vendor neutral and platform
agnostic standards that can be used to
define how SOA components interact
WS Protocols (XML, SOAP, WSDL, UDDI)
provide an interface toolkit for components
Business components
SOA components
Components interfaces
Web Services protocols* Each SOA application component may be made up of multiple applications
8/6/2019 Soa Interoperability and Security 4668
6/65
BusinessProcesses
Quality ofService
Description
Messaging
Business Process Execution LanguageFor Web Services (BPEL4WS)
SecurityReliability ManagementTransactions
Web Services Description Language (WSDL)
Simple Object Access Protocol (SOAP)
Extensible Markup Language (XML)
Other Protocols OtherServices
Web Services a SimpleView
8/6/2019 Soa Interoperability and Security 4668
7/65
WS-* Architectural Principles Message orientation
Using only messages to communicate between services
Protocol composability Use protocol building blocks in nearly any combination.
Autonomous services Independent endpoints
Managed transparency
Controlling what is externally visible
Protocol-based integration Coupling via wire artifacts only.
8/6/2019 Soa Interoperability and Security 4668
8/65
SOA Security considerations
8/6/2019 Soa Interoperability and Security 4668
9/65
10/23/2007 Template Documentation 9
Security Considerations for SOA Entities/Identities users, servicesServices have identities
Identities and/or credentials are propagated across services
Users and services are now subject to the same security controls
Organizational/enterprise boundariesPerimeter is obscure
Identities are managed across boundaries
Trust relationships are established across boundaries
Composite applications
Ensuring proper security controls are enacted for each service and whenused in combination
Greater focus on data/information
Protecting data at transit and at rest
Apply consistent protection measures
Access to data by applications and services
Governance, Risk, and Compliance
Auditing ie. entity identification to specific transactions
8/6/2019 Soa Interoperability and Security 4668
10/65
10/23/2007 Template Documentation 10
SOA Security Reference ModelBusiness Security Services
Identity &Access
Data Protection, Privacy
& Disclosure Control
Secure Systems& Networks
Compliance &
Reporting
TrustManagement
Security
PolicyInfrastructure
Authentication
Services
IT Security ServicesAuthorization
Services
AuditServices
Identity Services
IntegrityServices
Non-repudiation
Services
ConfidentialityServices
Security EnablersGovernanceandRiskManagement
Polic
y
Management
8/6/2019 Soa Interoperability and Security 4668
11/65
Web Services Security
8/6/2019 Soa Interoperability and Security 4668
12/65
Interoperable securityenablers and services
Message securityIntegrity, Confidentiality, Identity propagation
Policy constraints, requirements
Constraints, Authorization, privacy, ..
Security services
Standardized virtualized security services
8/6/2019 Soa Interoperability and Security 4668
13/65
Standards Summary: WebServices Security
Message SecurityMessage Security
SecuritySecurity
PolicyPolicy
SecureSecureConversationConversation
TrustTrust
FederationFederation
PrivacyPrivacy
AuthorizationAuthorization
SOAP MessagingSOAP Messaging
8/6/2019 Soa Interoperability and Security 4668
14/65
Message protection
8/6/2019 Soa Interoperability and Security 4668
15/65
10/23/2007 Template Documentation 15
Message Processing Requires NewLayers of Security
8/6/2019 Soa Interoperability and Security 4668
16/65
WS-Security
SenderSender ReceiverReceiverIntermediaryIntermediary IntermediaryIntermediary
8/6/2019 Soa Interoperability and Security 4668
17/65
WS-Security Defines a framework for building security protocols
Integrity
Confidentiality Propagation of security tokens
Framework designed for end-to-end security of SOAP messages
From initial sender, through 0-n intermediaries to ultimate receiver
Leverages existing XML security specs
XMLDSIG for integrity
XMLENC for confidentiality
Provides constructs for transmitting security tokens
Supports XML and binary tokens
8/6/2019 Soa Interoperability and Security 4668
18/65
WS-Security
WS-Security does provide:
Message level security
Improved SSL
Security at lower/networklayer
Transmission security
Message authentication
Message confidentiality
Message integrity
WS-Security does NOTprovide:
Application level security
Enterprise security
Authentication mechanisms
Authorization security
Intrusion detection
Identity management
Security Architecture
Network Security
Anti-Virus protection
8/6/2019 Soa Interoperability and Security 4668
19/65
What are Security Tokens? Examples include
Username token X509 Certificate
Kerberos ticket
REL license
SAML assertion
Represent claimsabout
Identity
Capabilities
Privileges
Message claims to be fromAlice
Specified using Alice's X509certificate
Proof is based on Alice's
private key
Signing part of the messagewith her private key proves
that she knows the key and
is therefore Alice Specifically, that the signed
parts are from Alice
8/6/2019 Soa Interoperability and Security 4668
20/65
Web Services messagetransmission
Soap Header
Message Header and Routing
Security Content
Signature
Actual signed content
Message Body
Soap EnvelopeSoap Envelope
Security Token
8/6/2019 Soa Interoperability and Security 4668
21/65
WS Security Terminology:
Claim - A claimis a statement that a client makes (e.g. name, identity, key,group, privilege, capability, etc).
Security Token - A security tokenrepresents a collection of claims. Signed Security Token - A signed security tokenis a security token that
is asserted and cryptographically endorsed by a specificauthority (e.g. anX.509 certificate or a Kerberos ticket).
Proof-of-Possession - The proof-of-possessioninformation is data that isused in a proof process to demonstrate the sender's knowledge of
information that SHOULD only be known to the claiming sender of asecurity token.
Integrity - Integrityis the process by which it is guaranteed thatinformation is not modified in transit.
Confidentiality - Confidentiality is the process by which data is protectedsuch that only authorized actors or security token owners can view thedata
Digest - A digest is a cryptographic checksum of an octet stream.
Signature - A signatureis a cryptographic binding of a proof-of-possessionand a digest. This covers both symmetric key-based and public key-basedsignatures. Consequently, non-repudiation is not always achieved.
Attachment - An attachmentis a generic term referring to additional datathat travels with a SOAP message, but is not part of the SOAP Envelope.
8/6/2019 Soa Interoperability and Security 4668
22/65
WS Security CapabilitiesSummary
Message Security Model
Security Tokens MAY be bound to messages
Message Protection
Message Integrity attained by using XML Signatures with
Security Tokens Message Confidentiality attained by using XML Encryption
with Security Tokens
WS Security Standard allows:
Encryption/Signing of: Body
Body Elements
Header
Attachments
8/6/2019 Soa Interoperability and Security 4668
23/65
WS Security Message Example
(001) (002) (003) (004) (005) http://fabrikam123.com/getQuote(006) http://fabrikam123.com/stocks
(007) uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6(008)
First two lines start SOAP message
Lines 004 to 008 define how toroute this message
Message example with a username security token (1 of 3):
8/6/2019 Soa Interoperability and Security 4668
24/65
WS Security MessageExample
(009) (010) wsse:UsernameToken Id="MyID">(011) Zoe(012) (013) (014) (015)
(016)
(017)
(018)
(019) LyLsF0Pi4wPU...(020)
Line 009: Start of Security header
Lines 010 to 012 specify thesecurity token
Message example with a username security token (2 of 3):
Lines 013 to 028 specify a digitalsignature this example uses a
signature based on the securitytoken, this is NOT a recommendedsignature scheme
8/6/2019 Soa Interoperability and Security 4668
25/65
WS Security MessageExample
(021) (022) DJbchm5gK...(023) (024) (025) (026) (027)
(028) (029) (030) (031) (032)
QQQ
(033) (034)
Lines 031 to 033 contain the bodyof the SOAP message
Message example with a username security token (3 of 3):
8/6/2019 Soa Interoperability and Security 4668
26/65
Interoperable secure messagesacross SOA environment
WS-Security based messages:Tokens, Signature, Encrypted elements
IBMWebSphere
IBM WebSphereDataPower
8/6/2019 Soa Interoperability and Security 4668
27/65
Trust model: trust, authenticationand identity propagation
8/6/2019 Soa Interoperability and Security 4668
28/65
WS-Trust Defines how to broker trust relationships
Some trust relationship has to exist a priori
Defines how to exchange security tokens
Defined as an interface specification for a SecurityToken Service
Anyone can issue tokens (be a Security TokenService)
8/6/2019 Soa Interoperability and Security 4668
29/65
Getting Tokens A RequestSecurityToken message is sent to the trust
service
It responds with a RequestSecurityTokenResponse
Contains required security token and associated details (e.g.
proof)
Example
I want to have secure communication with you
I ask the trust service for a token to allow me to talk to you The trust service sends two copies of a secret key
One encrypted for me (proof token)
One encrypted for you (requested token)
8/6/2019 Soa Interoperability and Security 4668
30/65
Example
11111111U/P
T1
P1
TrustTrustTrustTrustTrustTrustTrustTrust
22222222 T2
P2
T1
33333333
T2
Trust
Tr
ust
Tr
ust
Trust
Trust
Trust
Trust
Trust
T#
P#
Security TokenSecurity Token
Proof tokenProof token
8/6/2019 Soa Interoperability and Security 4668
31/65
Identity mediation using WS-TrustTivoli Federated Identity Manager
ESB
Firewall
Firewall
Tivoli FederatedIdentityManager
DataPower
8/6/2019 Soa Interoperability and Security 4668
32/65
Challenge mechanism
Request TokenRequest Token
Issue ChallengeIssue Challenge
Respond to ChallengeRespond to Challenge
Issue TokenIssue Token
8/6/2019 Soa Interoperability and Security 4668
33/65
Other Token Characteristics Requester can specify various required
characteristics of the security token Key type, size
Delegation constraints
Trust service can then indicate thosecharacteristics in the response
May indicate anything it thinks important
8/6/2019 Soa Interoperability and Security 4668
34/65
Persisted Context
SCT
8/6/2019 Soa Interoperability and Security 4668
35/65
Farm Context
SCT
8/6/2019 Soa Interoperability and Security 4668
36/65
WS-SecureConversation WS-Security provides for single message security
Nodes will often want to exchange more than onemessage
Specifying new symmetric keys for each message istedious, verbose, and inefficient
WS-SecureConversation defines mechanisms toaddress this
8/6/2019 Soa Interoperability and Security 4668
37/65
WS-SecureConversation Participants establish a shared context
Context contains keys/secrets and otherinformation
Can be stateless (state embedded in security
context token) Context established multiple ways
Using token exchange
Having one party create the context
Through negotiation
8/6/2019 Soa Interoperability and Security 4668
38/65
Policy
8/6/2019 Soa Interoperability and Security 4668
39/65
Policy Framework
PolicyPolicy
PolicyPolicyAttachmentAttachment
PolicyPolicyAssertionsAssertions
WSDLWSDL
8/6/2019 Soa Interoperability and Security 4668
40/65
WS-Policy Framework for expressing Web service
capabilities and requirementsSecurity
Transactions
Reliable messagingTransports
...
8/6/2019 Soa Interoperability and Security 4668
41/65
WS-Policy Model Policy: collection of alternatives; pick one
Alternative: collection of assertions; do all
Assertion: domain-specific behavior
Strongly typed
Arbitrary parameters to behavior
8/6/2019 Soa Interoperability and Security 4668
42/65
WS-Policy Expressions May represent a policy in a compact form
Nest operators All distributes over ExactlyOne
Assertion/@wsp:Optional=true
An alternative with and an alternative without Simplification of prior @wsp:Usage=xs:QName
Policy reference to reuse common expression
Included as is where referenced
8/6/2019 Soa Interoperability and Security 4668
43/65
WS-Policy Intersections
Do two Web service endpoints havecompatible policy?
At design time to wire together compatible
servicesAt runtime to select compatible options
Two alternatives are compatible if they
at least have the same assertion types
8/6/2019 Soa Interoperability and Security 4668
44/65
WS-Policy RuntimeIntersections
8/6/2019 Soa Interoperability and Security 4668
45/65
WS-PolicyAttachment Associate policy with WSDL constructs
Interface-wide policy, e.g., SOAP version
Transports (and addresses)
Which token to use when signing messages
Which version of transactions (if any)
Message policy, e.g.,
Which parts of this message to sign Whether this message is part of a transaction
8/6/2019 Soa Interoperability and Security 4668
46/65
WS-SecurityPolicy A set of policy assertions related to
concepts defined by other WS-Sec* specs Allows participants to specify
Token types
Whether integrity and/or confidentiality arerequired
Algorithms for the above
Which message parts need signing/encrypting
8/6/2019 Soa Interoperability and Security 4668
47/65
WS-SecurityPolicy Example
8/6/2019 Soa Interoperability and Security 4668
48/65
Federation
8/6/2019 Soa Interoperability and Security 4668
49/65
WS-Federation Single Sign-On access across trust
domains using identities from the different
domains
WS-Federation defines a model for this
building on the WS-* security specifications:Model for trustSign out messages
Attribute servicePseudonym service
Federation
8/6/2019 Soa Interoperability and Security 4668
50/65
Federation
Using Tivoli Federated Identity Manager
Web Access /Web SSO
Benefits Service Billing ServicePortalService
Web SSO Web SSO Web SSO
WS-Security/WS-Federation/SAML
Partners usingMicrosoft
Partners usingLiberty
Partners usingSAML
Third-party User
Partner
Third Party
Third-PartyAccess
Tivoli Federated
Identity Manager
User
FederatedAccess
DirectAccess
WS-Federation/SAML
8/6/2019 Soa Interoperability and Security 4668
51/65
Authorization
8/6/2019 Soa Interoperability and Security 4668
52/65
Authorization (WS-Trust profile) Authorization service that renders
authorization decision and can return
entitlements
Authorization attributes could be part of
token issue
Built on WS-Trust
Now published as part of WS-Federationspec
S R li bl T t d W b S i
8/6/2019 Soa Interoperability and Security 4668
53/65
Secure, Reliable, Transacted Web Services
ServiceComposition
ComposableService
Assurances
Description
Messaging
Transports
BPEL4WS
Security
XSD, WSDL, UDDI, Policy, MetadataExchange
XML, SOAP, Addressing
HTTP, HTTPS, SMTP
ReliableMessaging
Transactions
From joint IBM/MSFT WS Whitepaper atFrom joint IBM/MSFT WS Whitepaper at
http://msdn.microsoft.com/webservices/default.aspx?pull=/libraryhttp://msdn.microsoft.com/webservices/default.aspx?pull=/library /en/en--us/dnwebsrv/html/wsoverview.aspus/dnwebsrv/html/wsoverview.asp
8/6/2019 Soa Interoperability and Security 4668
54/65
Importance of Composition Everything works in combination
Ex: Transaction context works over a reliable connection
Ex: Participants use WS-Security to secure transactions (forall types participants)
Not "reinventing the wheel" for every stack
Code reuse, lower costs, faster time to market Ex: all resources named using WS-Addressing
The overall system is more stable
Changes don't percolate up the stack
Ex: By using WS-Security, Federation supports all tokens,including future ones
8/6/2019 Soa Interoperability and Security 4668
55/65
IBM P d t S t
8/6/2019 Soa Interoperability and Security 4668
56/65
IBM Product Support WebSphere Application Server 5.0
Supported WS-Security input spec as a technology preview
WAS 5.02 Supported the first WSS TC committee draft as apartial implementation
WebSphere Application Server 5.1
Increased support for the first WSS TC committee draft
WebSphere Application Server 6.0 Supports full OASIS WSS TC Standard v1.1
Tivoli Federated Identity Manager
WS-Security support WS-Trust support
WS-Federation support
8/6/2019 Soa Interoperability and Security 4668
57/65
8/6/2019 Soa Interoperability and Security 4668
58/65
References (1 of 4) OASIS WSS TC Homepage
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
Web Services Security: SOAP Message Security http://www.oasis-open.org/committees/download.php/5941/oasis-
200401-wss-soap-message-security-1.0.pdf
Web Services Security: Username Token Profile http://www.oasis-open.org/committees/download.php/5942/oasis-
200401-wss-username-token-profile-1.0.pdf
Web Services Security: X.509 Certificate Token Profile http://www.oasis-open.org/committees/download.php/5943/oasis-
200401-wss-x509-token-profile-1.0.pdf
Schema Files http://www.oasis-open.org/committees/download.php/5076/oasis-
200401-wss-wssecurity-secext-1.0.xsd.xsd http://www.oasis-open.org/committees/download.php/5075/oasis-
200401-wss-wssecurity-utility-1.0.xsd.xsd
References (2 of 4)
8/6/2019 Soa Interoperability and Security 4668
59/65
References (2 of 4)
OASIS WSS TC Call for participation & Original Charter http://lists.oasis-open.org/archives/wss/200207/msg00000.html
OASIS WSS TC Revised Charter after first TC meeting http://lists.oasis-open.org/archives/members/200209/msg00007.html
OASIS Announcement of public review phase for WS-Security http://lists.oasis-open.org/archives/members/200309/msg00011.html
OASIS Announcement of WSS voting as a 1.0 standard http://lists.oasis-open.org/archives/members/200403/msg00014.html
Original DeveloperWorks posting of WS-Security,Roadmap &Addendum http://www-106.ibm.com/developerworks/webservices/library/ws-
secure/ http://www-106.ibm.com/developerworks/webservices/library/ws-
secmap/
http://www-106.ibm.com/developerworks/library/ws-secureadd.html
WS-Security License from IBM http://www.ibm.com/ibm/licensing/977Q/2112.shtml
WS-Security License from Microsoft
http://msdn.microsoft.com/webservices/wss_license.aspx
References (3 of 4)
8/6/2019 Soa Interoperability and Security 4668
60/65
References (3 of 4) OASIS WSS TC Disposition of public review/comments
http://lists.oasis-open.org/archives/wss/200401/msg00157.html http://lists.oasis-open.org/archives/wss/200311/msg00044.html
OASIS WSS TC Notes sent to OASIS at submission time
http://lists.oasis-open.org/archives/wss/200402/msg00040.html http://www.oasis-
open.org/apps/org/workgroup/wss/download.php/5334/submission-notes.pdf
Statements of implementation
http://lists.oasis-open.org/archives/wss/200402/msg00022.html http://lists.oasis-open.org/archives/wss/200402/msg00027.html
http://lists.oasis-open.org/archives/wss/200402/msg00023.html http://lists.oasis-open.org/archives/wss/200402/msg00029.html
http://lists.oasis-open.org/archives/wss/200402/msg00024.html
http://lists.oasis-open.org/archives/wss/200402/msg00026.html http://lists.oasis-open.org/archives/wss/200402/msg00025.html
http://lists.oasis-open.org/archives/wss/200402/msg00028.html
8/6/2019 Soa Interoperability and Security 4668
61/65
References (4 of 4)
OASIS WSS TC Public review comments archive
http://lists.oasis-open.org/archives/wss-comment/
OASIS WSS TC Latest issues list as of 3/23/2004
http://www.oasis-open.org/committees/download.php/6047/wss-issues-36.htm
8/6/2019 Soa Interoperability and Security 4668
62/65
8/6/2019 Soa Interoperability and Security 4668
63/65
8/6/2019 Soa Interoperability and Security 4668
64/65
8/6/2019 Soa Interoperability and Security 4668
65/65