May. 2014

Senior  So(ware  Engineer  Isuru  Udana  

Security  Pa1erns  with  WSO2  ESB  

Jeewantha  Dharmaparakrama  So(ware  Engineer        

About the Presenters ๏  Jeewantha  Dharmaparakrama      

               So?ware  Engineer  WSO2                  jeewantha@wso2.com  

   

๏  Isuru  Udana                Senior  So?ware  Engineer  WSO2                isuruu@wso2.com    

About  WSO2  ๏  Global  enterprise,  founded  in  2005  by  

acknowledged  leaders  in  XML,  web  services    technologies,  standards    and  open  source  

๏  Provides  only  open  source  plaKorm-­‐as-­‐a-­‐service  for  private,  public  and  hybrid  cloud  deployments  

๏  All  WSO2  products  are  100%  open  source  and  released  under  the  Apache  License  Version  2.0.  

๏  Is  an  AcSve  Member  of  OASIS,  Cloud  Security  Alliance,  OSGi  Alliance,  AMQP  Working  Group,  OpenID  FoundaSon  and  W3C.  

๏  Driven  by  InnovaSon  

๏  Launched  first  open  source  API  Management  soluSon  in  2012  

๏  Launched  App  Factory  in  2Q  2013  

๏  Launched  Enterprise  Store  and  first  open  source  Mobile  soluSon  in  4Q  2013  

What  WSO2  delivers  

Outline •  Security  with  WSO2  ESB  

•  WS-­‐Security  

•  Transport  Level  Security  

•  OAuth  and  EnStlement  

•  Some  of  the  commonly  used  Security  Pa1erns  in  SOA  

•  AuthenScaSon  pa1erns  

•  AuthorizaSon  pa1erns  

•  Data  ConfidenSality  

•  Data  integrity  and  non  repudiaSon  

•  QnA  

Security Requirements

•  AuthenScaSon    

•  AuthorizaSon  

•  ConfidenSality  

•  Integrity    

•  Non  repudiaSon  

•  Availability  

 

WSO2 ESB

•  A  lightweight,  high  performance  ESB  

•  Feature  rich  and  standards  compliant  

•  SOAP  and  WS-­‐*  standards  

•  REST  support  

•  Domain  specific  protocol  support  (eg:  FIX,  HL7)  

•  User  friendly  and  highly  extensible  

•  100%  free  and  open  source  with  commercial  support    

 

 

Security with WSO2 ESB

•  WS-­‐Security  

•  Transport  Level  Security  

•  OAuth  and  EnStlement  

WS-Security with WSO2 ESB

•  WS  Security  is  an  extension  to  SOAP  to  apply  security  to  Web  

services  

•  Provides  Message  level  security  

•  Apache  Rampart  handles  WS-­‐Security  at  ESB  

•  Policy  (WS-­‐SecurityPolicy)  driven  

WS-Security with WSO2 ESB...

Unsecured Services

WS-Security with WSO2 ESB...

Exposing Unsecured Services as Secured

WS-Security with WSO2 ESB...

WS-Security with WSO2 ESB...

Exposing Secured Services as Unsecured

WS-Security with WSO2 ESB...

Security Transition

Transport Level Security

HTTPS Transport

•  High  performance  PassThrough  Transport  

Supports,  

•  SSL  

•  Mutual  SSL  

•  SSL  Profiles    (Inbound  and  Outbound)  

•  VerificaSon  of  cerSficate  revocaSon  (OCSP/CRL)  

•  SSL  Tunneling  

 

HTTPS Transport

Mutual SSL

•  Client  and  the  server  authenScaSng  each  other  

•  Similar  to  SSL  but  with  the  addiSon  of  client  authenScaSon  

•  Server  request  the  client  to  provide  a  cerSficate  

•  Typically  used  when  extra  level  of  security  is  needed.  

•  Extra  cost  involved  

 

Demo 1: Mutual SSL

SSL Outbound Profiles

•  Allows  to  specify  different  SSL  profiles  for  different  backend  servers  •  Each  profile  has  a  separate  KeyStore  and  a  TrustStore  •  Allows  to  connect  to  different  target  servers  using  different  cerSficates  and  

idenSSes  

 

SSL Inbound Profiles

•  Allows  to  specify  different  SSL  profiles  for  different  IPs  of  Server  

•  Each  profile  has  a  separate  KeyStore  and  a  TrustStore  

 

Verification of Certificate Revocation

-­‐  A  cerSficate  has  an  expiry  Sme.  

-­‐  What  if  a  cerSficate  get  revoked  before  the  expiraSon  Sme  ?  

 

-­‐  There  should  be  a  way  to  make  those  cerSficates  untrustworthy.  

•  CerSficate  RevocaSon  List  (CRL)  

•  Online  CerSficate  Status  Protocol  (OCSP)  

 

CRL

•  CerSficate  RevocaSon  List  (CRL)  is  a  list  of  cerSficates  that  have  

been  revoked  by  it’s  issuer  (CA)  

•  EnSSes  presenSng  those  (revoked)  cerSficates  should  no  longer  be  

trusted  

•  A  CRL  is  generated  and  published  periodically  

 

OCSP

•  Online  CerSficate  Status  Protocol  offers  an  alternaSve  to  a  cerSficate  revocaSon  list  (CRL)  

•  Real-­‐Sme  revocaSon  status  during  the  cerSficate  verificaSon  process  

 

SSL Tunneling

•  If  a  proxy  service  connects  to  a  back-­‐end  server  through  a  proxy  server,  we  can  enable  SSL  Tunneling  through  the  proxy  server  

•  SSL  Tunneling  prevents  any  intermediary  proxy  servers  from  interfering  with  the  

communicaSon  

 

OAuth mediator

•  Used  for  constrained  access  delegaSon.  

•  The  client  has  to  get  an  OAuth  access  token  from  the  AuthorizaSon  

server  

•  When  a  client  sends  a  request  with  an  OAuth  token,  OAuth  

mediator  will  get  the  access  token  validated  from  the  AuthorizaSon  

server.    Example  configuraSon:    <oauthService  xmlns="h1p://ws.apache.org/ns/synapse"  remoteServiceUrl="h1ps://localhost:9443/service"  username="foo"  password="bar"  />  

                         

Entitlement mediator

•  Intercepts  requests  and  evaluates  the  acSons  performed  by  the  

user  against  an

 eXtensible  Access  Control  Markup  Language  (XACML)  policy.  

•  WSO2  IdenSty  Server  can  be  used  as  the  XACML  Policy  Decision  

Point  (PDP)  where  the  policy  is  set.  

•  WSO2  ESB  serves  as  the  XACML  Policy  Enforcement  Point  (PEP)  

where  the  policy  is  enforced.  

Some common security patterns with WSO2 ESB

AuthenScaSon  

•   Direct  authenScaSon  

•   Brokered  authenScaSon.    

•  Protocol  transiSon  

•   Trusted  subsystem  

Direct Authentication

Brokered Authentication

•  Security  Token  Service  -­‐  SAML  AsserSons  

•  Kerberos  

 

 

 

 

 

 

 h1p://wso2.com/library/arScles/2012/07/kerberos-­‐authenScaSon-­‐using-­‐wso2-­‐products/  

Protocol Transition

Trusted Subsystem

Some common security patterns with WSO2 ESB Contd..

AuthorizaSon  

•   Role  based  access  control  

•   Claim  based  authorizaSon  

•   Constrained  access  delegaSon  

Role based Access Control

Claim based Authorization

AuthorizaSon  based  on  Claims  carried  in  SAML  token  using  EnStlement  Mediator                        h1ps://docs.wso2.org/display/ESB481/EnStlement+Mediator

Constrained Access Delegation

Using OAuth Mediator https://docs.wso2.org/display/ESB481/OAuth+Mediator

Constrained Access Delegation Contd.

1.  Client  gets  registered  with  the  AuthorizaSon  server  (WSO2  IS)  

2.  AuthorizaSon  server  generates  client  ID  and  client  secrete  for  the  

registered  client.  

Constrained Access Delegation

3.  Client  requests  AuthorizaSon  server  for  the  OAuth  access          token  for  the  resource  providing  the  clientID  and  secret  curl  -­‐u  <Client_id>:<Client_secret>    -­‐k  -­‐d  "grant_type=<strong>password</strong>&amp;username=admin&amp;password=admin"    -­‐H  "Content-­‐Type:applicaSon/x-­‐www-­‐form-­‐urlencoded"  h1ps://localhost:9444/oauth2endpoints/token    

4.  AuthorizaSon  server  will  provide  the  access  token  to  the  client  {"token_type":"bearer","expires_in":810,  "refresh_token":"8dd86285b6ccde955ce4ab65f41871cb",  "access_token":"4eb7939a6db20a0eddcd44e59badcb6"}s    

5.  Client  will  send  the  access  token  in  an  AuthorizaSon  HTTP  header  to  the  resource  server  via  WSO2  ESB.    

curl  -­‐H  "AuthorizaSon:Bearer  4eb7939a6db20a0eddcd44e59badcb6"  -­‐v      h1p://localhost:8282/stockquote/view/IBM    

6.  OAuth  mediator  in  WSO2  ESB  does  the  access  token              verificaSon  with  the  AuthorizaSon  server  (WSO2  IS)      

Some common security patterns with WSO2 ESB Contd..

ConfidenSality  

Data  encrypSon  with  WS-­‐Security  

 

Non  RepudiaSon  +  Integrity  

Data  signing  with  WS-­‐Security  

Demo 2: WS-Sec Sign and Encryption

QnA

Business  Model  

Contact  us  !