The Common Services Framework Project
-
Upload
rose-salas -
Category
Documents
-
view
34 -
download
1
description
Transcript of The Common Services Framework Project
The Common Services The Common Services Framework ProjectFramework Project
Adding Security and Values to Adding Security and Values to Heterogeneous Web Services Heterogeneous Web Services
EnvironmentEnvironment
Frederick ChongFrederick Chong
Software Design EngineerSoftware Design Engineer
MicrosoftMicrosoft
Kevin W. WallKevin W. Wall
Staff Software EngineerStaff Software Engineer
Qwest ITQwest IT
CSF Project BackgroundCSF Project Background
Joint work between .NET Enterprise Joint work between .NET Enterprise Architecture Team, MCS and Qwest.Architecture Team, MCS and Qwest.
Multiple phases of the project. This Multiple phases of the project. This presentation is about phase 1.presentation is about phase 1.
Business DriversBusiness Drivers Expose and resell existing internal Expose and resell existing internal
Telco applicationsTelco applications Reuse same infrastructure for Reuse same infrastructure for
managing external applications managing external applications hosted by third partieshosted by third parties
Leverage management of web Leverage management of web services through centralized interfaceservices through centralized interface
Provide common security solution to Provide common security solution to web servicesweb services
ChallengesChallenges
Exposing information and Exposing information and functionality in a modular, scalable, functionality in a modular, scalable, secure, and internet-friendly way secure, and internet-friendly way have significant challenges:have significant challenges:• Time-to-marketTime-to-market• Scaling to the webScaling to the web• Lack of end-to-end development toolsLack of end-to-end development tools• Inability to interact between applications Inability to interact between applications
developed in heterogeneous platforms developed in heterogeneous platforms and environmentsand environments
XML Web Services to the RescueXML Web Services to the Rescue Web Services provide loosely coupled Web Services provide loosely coupled
applications and components designed applications and components designed for today’s heterogeneous computing for today’s heterogeneous computing landscapelandscape• Improves programmer productivityImproves programmer productivity• Ease of deploymentEase of deployment• Facilitates sharing and reuse of componentsFacilitates sharing and reuse of components• Communicating using Internet protocols Communicating using Internet protocols
and standards, such as SOAP and XML.and standards, such as SOAP and XML. Web Services == ISDN ?Web Services == ISDN ?
I See Dollars Now
Selling Web ServicesSelling Web ServicesWeb Services Owners/Providers
Web Services Consumers
Web Applications Users
Employing Web ServicesEmploying Web Services
Applications that employ web Applications that employ web services in their architecture have to services in their architecture have to consider 3 phases of the web service consider 3 phases of the web service life cycle:life cycle:• Web service developmentWeb service development• Web service deploymentWeb service deployment• Web service consumptionWeb service consumption
All phases involves several All phases involves several management challengesmanagement challenges
Development ChallengesDevelopment Challenges
Web Service developers are concerned with:Web Service developers are concerned with: Securing web servicesSecuring web services
• How to secure service component so that only How to secure service component so that only authenticated & authorized users are able to authenticated & authorized users are able to consume them.consume them.
Managing versionsManaging versions• Manage versions of services components so Manage versions of services components so
that consumers are least impactedthat consumers are least impacted Logging usage and health of servicesLogging usage and health of services
• Monitoring the health of a web service, and Monitoring the health of a web service, and reporting on usage (volume, components reporting on usage (volume, components accessed, …)accessed, …)
Deployment ChallengesDeployment Challenges
Web Service administrators are concerned with:Web Service administrators are concerned with: SecuritySecurity AvailabilityAvailability ReliabilityReliability RecoveryRecovery Access Access User ManagementUser Management Consumption AnalysisConsumption Analysis Production EnvironmentProduction Environment
Consumer ChallengesConsumer ChallengesDevelopers writing Developers writing client applications that consumeclient applications that consume web services must address issues such as those faced web services must address issues such as those faced by their counterparts developing the Web services. by their counterparts developing the Web services.
Issues that must be analyzed may include:Issues that must be analyzed may include:• How many transactions/sec will the Web service be able to How many transactions/sec will the Web service be able to
support?support?• Are the Web services secure?Are the Web services secure?• Is the information sent encrypted? If so, how do I encrypt the Is the information sent encrypted? If so, how do I encrypt the
information?information?• How reliable is the Web service? How reliable is the Web service? • Is there a way of knowing my consumption pattern?Is there a way of knowing my consumption pattern?
Web Services in QwestWeb Services in Qwest Large number of custom WS have been Large number of custom WS have been
developed and deployeddeveloped and deployed WS support increasingly sophisticated WS support increasingly sophisticated
business processes. business processes. Development and management of WS is Development and management of WS is
continuously evolving in their continuously evolving in their complexitiescomplexities
Multiple technologies used: .NET, GLUE, Multiple technologies used: .NET, GLUE, WLSWLS
Web Services Common Web Services Common RequirementsRequirements
All web services developed have a common All web services developed have a common set of needs: set of needs: • Security:Security:
Authentication, Authorization, Authentication, Authorization, Confidentiality, Data IntegrityConfidentiality, Data Integrity
• Global availabilityGlobal availability• ReliabilityReliability• Version managementVersion management• Metering, Monitoring and LoggingMetering, Monitoring and Logging• Interoperability of applicationsInteroperability of applications
Why CSF/WS Management?Why CSF/WS Management? In summary:In summary:
• Need a set of capabilities to support increasingly Need a set of capabilities to support increasingly sophisticated business processes enabled through sophisticated business processes enabled through web servicesweb services
• Address global availability, reliability, security, Address global availability, reliability, security, version management, metering, monitoring, version management, metering, monitoring, deployment & consumption challengesdeployment & consumption challenges
• Ensure interoperability of applicationsEnsure interoperability of applications• Lower development and deployment time and costLower development and deployment time and cost• Some of the needs can be met by current Web Some of the needs can be met by current Web
technologies, but others clearly need new toolstechnologies, but others clearly need new tools
Logical View of the Common Services Logical View of the Common Services FrameworkFramework Web Services
Owners/ProvidersWeb Services Consumers
Web Applications Users
Common Services
Framework
Common Services
Framework
Basic Flows in the Common Basic Flows in the Common Services FrameworkServices Framework
Company A(Web Service Provider)
1. Register Organization with CSF
Company B(Web Service Consumer)
CSF Administration
4. Register Organization with CSF
Common Service Framework
2. Register Web Service3. Define access policies5. Subscribe to Company
A’s Web service
CSF RuntimeCSF Client Toolkit
Secure Log Route6. Consume web service
7. Web service response
CSF ComponentsCSF Components CSF Components include:CSF Components include:
• CSF AdministrationCSF Administration Registration of web services Registration of web services Creation and administration of security policies & Creation and administration of security policies &
privilegesprivileges Multiple Routing scenarios and versioningMultiple Routing scenarios and versioning Manage subscription to web service consumptionManage subscription to web service consumption
• CSF Run Time CSF Run Time Web services securityWeb services security Unified logging and monitoringUnified logging and monitoring Static Routing and Dynamic RoutingStatic Routing and Dynamic Routing
• CSF Client Tool kitCSF Client Tool kit Standard libraries for WS clientStandard libraries for WS client Configuration drivenConfiguration driven Enables client to act as a transparent forward Enables client to act as a transparent forward
proxyproxy
Challenges Addressed by CSF Challenges Addressed by CSF Phase 1Phase 1
Web services securityWeb services security Policy-driven routing of web service Policy-driven routing of web service
requests and responsesrequests and responses Web service traffic loggingWeb service traffic logging Builds foundation for adding more Builds foundation for adding more
value added services (Metering, value added services (Metering, Billing etc.)Billing etc.)
CSF Security RequirementsCSF Security Requirements
Unilateral or mutual authenticationUnilateral or mutual authentication Access control at granularity of web Access control at granularity of web
service methodservice method Session-level confidentialitySession-level confidentiality Session-level integritySession-level integrity
• Including replay preventionIncluding replay prevention
CSF Security WishlistCSF Security Wishlist
End-to-end confidentiality and End-to-end confidentiality and integrityintegrity
Non-repudiation of origin, of receipt, Non-repudiation of origin, of receipt, and deliveryand delivery
Content inspection / scrubbingContent inspection / scrubbing• Input validationInput validation• CanonicalizationCanonicalization• Parameter manipulationParameter manipulation
Web Services SecurityWeb Services Security AuthenticationAuthentication
• WS-SecurityWS-Security Password-basedPassword-based X.509 public key certificatesX.509 public key certificates End-to-end authenticationEnd-to-end authentication
• Basic authentication over HTTPSBasic authentication over HTTPS AuthorizationAuthorization
• Role-based authorization and business Role-based authorization and business rulesrules
Web Services SecurityWeb Services Security
Authentication and Authorization Authentication and Authorization Implementations:Implementations:• Qwest re-used their existing corporate Qwest re-used their existing corporate
LDAP Directory and RSA ClearTrust LDAP Directory and RSA ClearTrust productsproducts
• Could be easily replaced by Microsoft Could be easily replaced by Microsoft Active Directory and Windows Role-Active Directory and Windows Role-based Authorization Manager based Authorization Manager FrameworkFramework
Web Services SecurityWeb Services Security
ConfidentialityConfidentiality• WS-SecurityWS-Security
Symmetric and Asymmetric Key Symmetric and Asymmetric Key EncryptionEncryption
End-to-end encryptionEnd-to-end encryption
• HTTPSHTTPS For clientsFor clients that don’t speak WS- that don’t speak WS-
SecuritySecurity
Policy-based RoutingPolicy-based Routing Goal is to enable service differentiationGoal is to enable service differentiation Bundle different physical deployments of Bundle different physical deployments of
Web service into a single serviceWeb service into a single service Use policy-based routing to enforce Use policy-based routing to enforce
service differentiationservice differentiation Routing policy could be based on any Routing policy could be based on any
defined attributes:defined attributes:• Class of service. e.g. Silver, Gold, Platinum Class of service. e.g. Silver, Gold, Platinum
subscriptionsubscription• User privileges – VP vs. Manager vs. User privileges – VP vs. Manager vs.
Contractor rolesContractor roles• Time of day etc.Time of day etc.
Web Service Logging and Web Service Logging and MonitoringMonitoring
Log web service requests, responses, Log web service requests, responses, security events, etc.security events, etc.
Logging level can be changed by Logging level can be changed by configurationconfiguration
Uses Windows Management and Uses Windows Management and Instrumentation (WMI)Instrumentation (WMI)
Use Microsoft Operations Manager (MOM) Use Microsoft Operations Manager (MOM) for Collection and Analysisfor Collection and Analysis
Foundation for building other value added Foundation for building other value added services, e.g. Metering and Billingservices, e.g. Metering and Billing
CSF Runtime ArchitectureCSF Runtime Architecture
CSF Runtime Engine
RSA ClearTrust
Authentication
Logging using WMI
Custom Business Rules Engine
for Routing Policy
Runtime features are pluggable and configurableRuntime features are pluggable and configurable Input and Output pipeline message processingInput and Output pipeline message processing
RSA ClearTrustAuthentication
RSA ClearTrustfor
Authorization
Logging using WMI
SOAP Request
Soap Response
Message Router
Request Message Context
Request Message Context
Response Message Context
Response Message Context
b
CSF Runtime Deployment ScenariosCSF Runtime Deployment Scenarios
As a Web service intermediaryAs a Web service intermediary
.NETWeb Service
Security LogPolicy-based
Routing
CSF Runtime
Web Service Intermediary
J2EEWeb Service
J2EEWeb Service
Client
CSF Client Toolkit
.NETWeb Service
Client
CSF Runtime Deployment CSF Runtime Deployment ScenariosScenarios
As a chain of web service intermediariesAs a chain of web service intermediaries Distribute processing across Distribute processing across
intermediariesintermediaries AKA “The Message Bus” to some peopleAKA “The Message Bus” to some people
CSF Runtime
•Authenticate•Route
Web Service Intermediary
CSF Runtime
•Authorize•Log•Route
Web Service Intermediary
J2EEWeb Service
Client
.NETWeb Service
J2EEWeb Service
CSF Client Toolkit
.NETWeb Service
Client
CSF Runtime Deployment CSF Runtime Deployment ScenariosScenarios
““In-Proc” ModelIn-Proc” Model End-to-end processingEnd-to-end processing
.NETWeb Service.NET
Web Service Client
CSF Runtime
•Authenticate•Encrypt/Decrypt
CSF Runtime
•Authenticate•Encrypt/Decrypt•Authorize•Log
CSF Runtime Deployment CSF Runtime Deployment Scenarios SummaryScenarios Summary
Flexibly combine all modelsFlexibly combine all models
.CSF Runtime
NETWeb Service
J2EEWeb Service
J2EEWeb Service
Client
CSF Runtime
.NETWeb Service Client
Web Service
Intermediary
Web Service
Intermediary
CSF Runtime
CSF Runtime
ConclusionsConclusions
Multiple challenges in Web services Multiple challenges in Web services managementmanagement
Common Service Framework:Common Service Framework:• Administrative FrameworkAdministrative Framework
Registering web services and consumersRegistering web services and consumers Managing policies for security, routing etc.Managing policies for security, routing etc.
• Runtime FrameworkRuntime Framework Enforcing web service management policiesEnforcing web service management policies Easy to add more management enforcement Easy to add more management enforcement
capabilitiescapabilities Flexible to support many deployment modelsFlexible to support many deployment models