Soa Interoperability and Security 4668

8/6/2019 Soa Interoperability and Security 4668

1/65

SOA, Interoperability

and Security

All roads lead to web services

security

Nataraj Nagaratnam, Ph.D.,IBM Distinguished Engineer

Chief Architect, Identity and SOA Security, Tivoli, Software Group, IBM

[email protected]


2/65

Agenda

Service Oriented Architecture and Interoperability Role of Web Services

SOA Security Considerations

Web Services Security

Standards Roadmap

Message security Policy

Trust, Authorization


3/65

10/23/2007 Template Documentation 3

SOA and Interoperability


4/65

What is SOA? a service?

A repeatablebusiness task

e.g., check

customer credit;open new account

service oriented

architecture (SOA)?An IT architecturalstyle that supports

integrating your

business as linkedservices


5/65


What is the SOA model?Business Componentization

Re-defining todays monolithic enterprise

processes as a set of standardized

modular business process components

Business Componentization

Re-defining todays monolithic enterprise

processes as a set of standardized

modular business process components

Service Oriented Architecture

An IT model which mirrors the interactionof business components through a set of

IT applications implemented as real-time

services that interact dynamically

Service Oriented Architecture

An IT model which mirrors the interactionof business components through a set of

IT applications implemented as real-time

services that interact dynamically

Business

components

SOA application

components *

Web Services

A set of vendor neutral and platform

agnostic standards that can be used to

define how SOA components interact

Web Services

A set of vendor neutral and platform

agnostic standards that can be used to

define how SOA components interact

WS Protocols (XML, SOAP, WSDL, UDDI)

provide an interface toolkit for components

Business components

SOA components

Components interfaces

Web Services protocols* Each SOA application component may be made up of multiple applications


6/65

BusinessProcesses

Quality ofService

Description

Messaging

Business Process Execution LanguageFor Web Services (BPEL4WS)

SecurityReliability ManagementTransactions

Web Services Description Language (WSDL)

Simple Object Access Protocol (SOAP)

Extensible Markup Language (XML)

Other Protocols OtherServices

Web Services a SimpleView


7/65

WS-* Architectural Principles Message orientation

Using only messages to communicate between services

Protocol composability Use protocol building blocks in nearly any combination.

Autonomous services Independent endpoints

Managed transparency

Controlling what is externally visible

Protocol-based integration Coupling via wire artifacts only.


8/65

SOA Security considerations


9/65


Security Considerations for SOA Entities/Identities users, servicesServices have identities

Identities and/or credentials are propagated across services

Users and services are now subject to the same security controls

Organizational/enterprise boundariesPerimeter is obscure

Identities are managed across boundaries

Trust relationships are established across boundaries

Composite applications

Ensuring proper security controls are enacted for each service and whenused in combination

Greater focus on data/information

Protecting data at transit and at rest

Apply consistent protection measures

Access to data by applications and services

Governance, Risk, and Compliance

Auditing ie. entity identification to specific transactions


10/65


SOA Security Reference ModelBusiness Security Services

Identity &Access

Data Protection, Privacy

& Disclosure Control

Secure Systems& Networks

Compliance &

Reporting

TrustManagement

Security

PolicyInfrastructure

Authentication

Services

IT Security ServicesAuthorization

Services

AuditServices

Identity Services

IntegrityServices

Non-repudiation

Services

ConfidentialityServices

Security EnablersGovernanceandRiskManagement

Polic

y

Management


11/65

Web Services Security


12/65

Interoperable securityenablers and services

Message securityIntegrity, Confidentiality, Identity propagation

Policy constraints, requirements

Constraints, Authorization, privacy, ..

Security services

Standardized virtualized security services


13/65

Standards Summary: WebServices Security

Message SecurityMessage Security

SecuritySecurity

PolicyPolicy

SecureSecureConversationConversation

TrustTrust

FederationFederation

PrivacyPrivacy

AuthorizationAuthorization

SOAP MessagingSOAP Messaging


14/65

Message protection


15/65


Message Processing Requires NewLayers of Security


16/65

WS-Security

SenderSender ReceiverReceiverIntermediaryIntermediary IntermediaryIntermediary


17/65

WS-Security Defines a framework for building security protocols

Integrity

Confidentiality Propagation of security tokens

Framework designed for end-to-end security of SOAP messages

From initial sender, through 0-n intermediaries to ultimate receiver

Leverages existing XML security specs

XMLDSIG for integrity

XMLENC for confidentiality

Provides constructs for transmitting security tokens

Supports XML and binary tokens


18/65

WS-Security

WS-Security does provide:

Message level security

Improved SSL

Security at lower/networklayer

Transmission security

Message authentication

Message confidentiality

Message integrity

WS-Security does NOTprovide:

Application level security

Enterprise security

Authentication mechanisms

Authorization security

Intrusion detection

Identity management

Security Architecture

Network Security

Anti-Virus protection


19/65

What are Security Tokens? Examples include

Username token X509 Certificate

Kerberos ticket

REL license

SAML assertion

Represent claimsabout

Identity

Capabilities

Privileges

Message claims to be fromAlice

Specified using Alice's X509certificate

Proof is based on Alice's

private key

Signing part of the messagewith her private key proves

that she knows the key and

is therefore Alice Specifically, that the signed

parts are from Alice


20/65

Web Services messagetransmission

Soap Header

Message Header and Routing

Security Content

Signature

Actual signed content

Message Body

Soap EnvelopeSoap Envelope

Security Token


21/65

WS Security Terminology:

Claim - A claimis a statement that a client makes (e.g. name, identity, key,group, privilege, capability, etc).

Security Token - A security tokenrepresents a collection of claims. Signed Security Token - A signed security tokenis a security token that

is asserted and cryptographically endorsed by a specificauthority (e.g. anX.509 certificate or a Kerberos ticket).

Proof-of-Possession - The proof-of-possessioninformation is data that isused in a proof process to demonstrate the sender's knowledge of

information that SHOULD only be known to the claiming sender of asecurity token.

Integrity - Integrityis the process by which it is guaranteed thatinformation is not modified in transit.

Confidentiality - Confidentiality is the process by which data is protectedsuch that only authorized actors or security token owners can view thedata

Digest - A digest is a cryptographic checksum of an octet stream.

Signature - A signatureis a cryptographic binding of a proof-of-possessionand a digest. This covers both symmetric key-based and public key-basedsignatures. Consequently, non-repudiation is not always achieved.

Attachment - An attachmentis a generic term referring to additional datathat travels with a SOAP message, but is not part of the SOAP Envelope.


22/65

WS Security CapabilitiesSummary

Message Security Model

Security Tokens MAY be bound to messages

Message Protection

Message Integrity attained by using XML Signatures with

Security Tokens Message Confidentiality attained by using XML Encryption

with Security Tokens

WS Security Standard allows:

Encryption/Signing of: Body

Body Elements

Header

Attachments


23/65

WS Security Message Example

(001) (002) (003) (004) (005) http://fabrikam123.com/getQuote(006) http://fabrikam123.com/stocks

(007) uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6(008)

First two lines start SOAP message

Lines 004 to 008 define how toroute this message

Message example with a username security token (1 of 3):


24/65

WS Security MessageExample

(009) (010) wsse:UsernameToken Id="MyID">(011) Zoe(012) (013) (014) (015)

(016)

(017)

(018)

(019) LyLsF0Pi4wPU...(020)

Line 009: Start of Security header

Lines 010 to 012 specify thesecurity token


Lines 013 to 028 specify a digitalsignature this example uses a

signature based on the securitytoken, this is NOT a recommendedsignature scheme


25/65

WS Security MessageExample

(021) (022) DJbchm5gK...(023) (024) (025) (026) (027)

(028) (029) (030) (031) (032)

QQQ

(033) (034)

Lines 031 to 033 contain the bodyof the SOAP message



26/65

Interoperable secure messagesacross SOA environment

WS-Security based messages:Tokens, Signature, Encrypted elements

IBMWebSphere

IBM WebSphereDataPower


27/65

Trust model: trust, authenticationand identity propagation


28/65

WS-Trust Defines how to broker trust relationships

Some trust relationship has to exist a priori

Defines how to exchange security tokens

Defined as an interface specification for a SecurityToken Service

Anyone can issue tokens (be a Security TokenService)


29/65

Getting Tokens A RequestSecurityToken message is sent to the trust

service

It responds with a RequestSecurityTokenResponse

Contains required security token and associated details (e.g.

proof)

Example

I want to have secure communication with you

I ask the trust service for a token to allow me to talk to you The trust service sends two copies of a secret key

One encrypted for me (proof token)

One encrypted for you (requested token)


30/65

Example

11111111U/P

T1

P1

TrustTrustTrustTrustTrustTrustTrustTrust

22222222 T2

P2

T1

33333333

T2

Trust

Tr

ust

Tr

ust

Trust

Trust

Trust

Trust

Trust

T#

P#

Security TokenSecurity Token

Proof tokenProof token


31/65

Identity mediation using WS-TrustTivoli Federated Identity Manager

ESB

Firewall

Firewall

Tivoli FederatedIdentityManager

DataPower


32/65

Challenge mechanism

Request TokenRequest Token

Issue ChallengeIssue Challenge

Respond to ChallengeRespond to Challenge

Issue TokenIssue Token


33/65

Other Token Characteristics Requester can specify various required

characteristics of the security token Key type, size

Delegation constraints

Trust service can then indicate thosecharacteristics in the response

May indicate anything it thinks important


34/65

Persisted Context

SCT


35/65

Farm Context

SCT


36/65

WS-SecureConversation WS-Security provides for single message security

Nodes will often want to exchange more than onemessage

Specifying new symmetric keys for each message istedious, verbose, and inefficient

WS-SecureConversation defines mechanisms toaddress this


37/65

WS-SecureConversation Participants establish a shared context

Context contains keys/secrets and otherinformation

Can be stateless (state embedded in security

context token) Context established multiple ways

Using token exchange

Having one party create the context

Through negotiation


38/65

Policy


39/65

Policy Framework

PolicyPolicy

PolicyPolicyAttachmentAttachment

PolicyPolicyAssertionsAssertions

WSDLWSDL


40/65

WS-Policy Framework for expressing Web service

capabilities and requirementsSecurity

Transactions

Reliable messagingTransports

...


41/65

WS-Policy Model Policy: collection of alternatives; pick one

Alternative: collection of assertions; do all

Assertion: domain-specific behavior

Strongly typed

Arbitrary parameters to behavior


42/65

WS-Policy Expressions May represent a policy in a compact form

Nest operators All distributes over ExactlyOne

Assertion/@wsp:Optional=true

An alternative with and an alternative without Simplification of prior @wsp:Usage=xs:QName

Policy reference to reuse common expression

Included as is where referenced


43/65

WS-Policy Intersections

Do two Web service endpoints havecompatible policy?

At design time to wire together compatible

servicesAt runtime to select compatible options

Two alternatives are compatible if they

at least have the same assertion types


44/65

WS-Policy RuntimeIntersections


45/65

WS-PolicyAttachment Associate policy with WSDL constructs

Interface-wide policy, e.g., SOAP version

Transports (and addresses)

Which token to use when signing messages

Which version of transactions (if any)

Message policy, e.g.,

Which parts of this message to sign Whether this message is part of a transaction


46/65

WS-SecurityPolicy A set of policy assertions related to

concepts defined by other WS-Sec* specs Allows participants to specify

Token types

Whether integrity and/or confidentiality arerequired

Algorithms for the above

Which message parts need signing/encrypting


47/65

WS-SecurityPolicy Example


48/65

Federation


49/65

WS-Federation Single Sign-On access across trust

domains using identities from the different

domains

WS-Federation defines a model for this

building on the WS-* security specifications:Model for trustSign out messages

Attribute servicePseudonym service

Federation


50/65

Federation

Using Tivoli Federated Identity Manager

Web Access /Web SSO

Benefits Service Billing ServicePortalService

Web SSO Web SSO Web SSO

WS-Security/WS-Federation/SAML

Partners usingMicrosoft

Partners usingLiberty

Partners usingSAML

Third-party User

Partner

Third Party

Third-PartyAccess

Tivoli Federated

Identity Manager

User

FederatedAccess

DirectAccess

WS-Federation/SAML


51/65

Authorization


52/65

Authorization (WS-Trust profile) Authorization service that renders

authorization decision and can return

entitlements

Authorization attributes could be part of

token issue

Built on WS-Trust

Now published as part of WS-Federationspec

S R li bl T t d W b S i


53/65

Secure, Reliable, Transacted Web Services

ServiceComposition

ComposableService

Assurances

Description

Messaging

Transports

BPEL4WS

Security

XSD, WSDL, UDDI, Policy, MetadataExchange

XML, SOAP, Addressing

HTTP, HTTPS, SMTP

ReliableMessaging

Transactions

From joint IBM/MSFT WS Whitepaper atFrom joint IBM/MSFT WS Whitepaper at

http://msdn.microsoft.com/webservices/default.aspx?pull=/libraryhttp://msdn.microsoft.com/webservices/default.aspx?pull=/library /en/en--us/dnwebsrv/html/wsoverview.aspus/dnwebsrv/html/wsoverview.asp


54/65

Importance of Composition Everything works in combination

Ex: Transaction context works over a reliable connection

Ex: Participants use WS-Security to secure transactions (forall types participants)

Not "reinventing the wheel" for every stack

Code reuse, lower costs, faster time to market Ex: all resources named using WS-Addressing

The overall system is more stable

Changes don't percolate up the stack

Ex: By using WS-Security, Federation supports all tokens,including future ones


55/65

IBM P d t S t


56/65

IBM Product Support WebSphere Application Server 5.0

Supported WS-Security input spec as a technology preview

WAS 5.02 Supported the first WSS TC committee draft as apartial implementation

WebSphere Application Server 5.1

Increased support for the first WSS TC committee draft

WebSphere Application Server 6.0 Supports full OASIS WSS TC Standard v1.1

Tivoli Federated Identity Manager

WS-Security support WS-Trust support

WS-Federation support


57/65


58/65

References (1 of 4) OASIS WSS TC Homepage

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

Web Services Security: SOAP Message Security http://www.oasis-open.org/committees/download.php/5941/oasis-

200401-wss-soap-message-security-1.0.pdf

Web Services Security: Username Token Profile http://www.oasis-open.org/committees/download.php/5942/oasis-

200401-wss-username-token-profile-1.0.pdf

Web Services Security: X.509 Certificate Token Profile http://www.oasis-open.org/committees/download.php/5943/oasis-

200401-wss-x509-token-profile-1.0.pdf

Schema Files http://www.oasis-open.org/committees/download.php/5076/oasis-

200401-wss-wssecurity-secext-1.0.xsd.xsd http://www.oasis-open.org/committees/download.php/5075/oasis-

200401-wss-wssecurity-utility-1.0.xsd.xsd

References (2 of 4)


59/65

References (2 of 4)

OASIS WSS TC Call for participation & Original Charter http://lists.oasis-open.org/archives/wss/200207/msg00000.html

OASIS WSS TC Revised Charter after first TC meeting http://lists.oasis-open.org/archives/members/200209/msg00007.html

OASIS Announcement of public review phase for WS-Security http://lists.oasis-open.org/archives/members/200309/msg00011.html

OASIS Announcement of WSS voting as a 1.0 standard http://lists.oasis-open.org/archives/members/200403/msg00014.html

Original DeveloperWorks posting of WS-Security,Roadmap &Addendum http://www-106.ibm.com/developerworks/webservices/library/ws-

secure/ http://www-106.ibm.com/developerworks/webservices/library/ws-

secmap/

http://www-106.ibm.com/developerworks/library/ws-secureadd.html

WS-Security License from IBM http://www.ibm.com/ibm/licensing/977Q/2112.shtml

WS-Security License from Microsoft

http://msdn.microsoft.com/webservices/wss_license.aspx

References (3 of 4)


60/65

References (3 of 4) OASIS WSS TC Disposition of public review/comments

http://lists.oasis-open.org/archives/wss/200401/msg00157.html http://lists.oasis-open.org/archives/wss/200311/msg00044.html

OASIS WSS TC Notes sent to OASIS at submission time

http://lists.oasis-open.org/archives/wss/200402/msg00040.html http://www.oasis-

open.org/apps/org/workgroup/wss/download.php/5334/submission-notes.pdf

Statements of implementation



http://lists.oasis-open.org/archives/wss/200402/msg00024.html


http://lists.oasis-open.org/archives/wss/200402/msg00028.html


61/65

References (4 of 4)

OASIS WSS TC Public review comments archive

http://lists.oasis-open.org/archives/wss-comment/

OASIS WSS TC Latest issues list as of 3/23/2004

http://www.oasis-open.org/committees/download.php/6047/wss-issues-36.htm


62/65


63/65


64/65


65/65

Soa Interoperability and Security 4668

Documents

Transcript of Soa Interoperability and Security 4668