WSO2 SOA Security

105
Secured SOA By Prabath Siriwardena ~ WSO2 Santa Clara , CA

TAGS:

Transcript of WSO2 SOA Security

Page 1: WSO2 SOA Security

Secured SOABy Prabath Siriwardena ~ WSO2

Santa Clara , CA

Page 2: WSO2 SOA Security
Page 3: WSO2 SOA Security
Page 4: WSO2 SOA Security
Page 5: WSO2 SOA Security
Page 6: WSO2 SOA Security

Securing a Web Service..???

Page 7: WSO2 SOA Security
Page 8: WSO2 SOA Security
Page 9: WSO2 SOA Security

People Can SEE What You Send

Page 10: WSO2 SOA Security

People Can ALTER What You Send

Page 11: WSO2 SOA Security

People Can ALTER What You Send

Page 12: WSO2 SOA Security

Anyone Can CALL Your Service

Page 13: WSO2 SOA Security

People SEE What’s On

Page 14: WSO2 SOA Security

People Can ALTER What’s On

Page 15: WSO2 SOA Security

People Can ALTER What’s On

Page 16: WSO2 SOA Security

HTTP is NOT Secured

Page 17: WSO2 SOA Security

HTTPS

Page 18: WSO2 SOA Security

HTTPS is Transport Level

Page 19: WSO2 SOA Security
Page 20: WSO2 SOA Security
Page 21: WSO2 SOA Security

Security inherited from the transport channel

Page 22: WSO2 SOA Security

Safe only while on the transport

Page 23: WSO2 SOA Security

Parts of the message CANNOT

BEencrypted

Page 24: WSO2 SOA Security
Page 25: WSO2 SOA Security

Authenticating with HTTPS ?

Page 26: WSO2 SOA Security

BasicAuth

Page 27: WSO2 SOA Security
Page 28: WSO2 SOA Security
Page 29: WSO2 SOA Security
Page 30: WSO2 SOA Security

Mutual Authentication

Page 31: WSO2 SOA Security

SSL Handshake

Page 32: WSO2 SOA Security

CLIENT_HELLO

Highest SSL Version,

Ciphers Supported,

Data Compression Methods,

SessionId = 0,

Random Data

Page 33: WSO2 SOA Security

SERVER_HELLO

Selected SSL Version,

Selected Cipher,

Selected Data Compression Method,

Assigned Session Id,

Random Data

Page 34: WSO2 SOA Security

CERTIFICATE

Public Key,

Authentication Signature

Page 35: WSO2 SOA Security

CLIENT_CERT_REQUEST

[Optional]

Page 36: WSO2 SOA Security

CLIENT_CERT

[Optional]

Page 37: WSO2 SOA Security

CLIENT_KEY_EXCHANGE

Page 38: WSO2 SOA Security

CERTIFICATE_VERIFY[Optional]

Page 39: WSO2 SOA Security

CHANGE_CIPHER_SPEC

Page 40: WSO2 SOA Security

FINISHED

Page 41: WSO2 SOA Security

CHANGE_CIPHER_SPEC

Page 42: WSO2 SOA Security

FINISHED

Page 43: WSO2 SOA Security

MONDAY Morning

Page 44: WSO2 SOA Security

NOT Happy With HTTPS

Page 45: WSO2 SOA Security

Requires END To END Security

Page 46: WSO2 SOA Security

Parts of message need to be Encrypted

Page 47: WSO2 SOA Security

<soap:Envelope > <soap:Body>

<ns1:withdrawMoney > <param1></ param1><param2></ param2><param3></ param3>

</ ns1:withdrawMoney > </soap:Body>

</soap:Envelope>

Page 48: WSO2 SOA Security

<soap:Envelope > <soap:Body>

<ns1:withdrawMoney > <param1></ param1><param2></ param2><param3></ param3>

</ ns1:withdrawMoney > </soap:Body>

</soap:Envelope>

Page 49: WSO2 SOA Security

Message Level Security

Page 50: WSO2 SOA Security

XML Encryption

Page 51: WSO2 SOA Security

XML Signature

Page 52: WSO2 SOA Security

WS - Security

Page 53: WSO2 SOA Security

Confidentiality

Page 54: WSO2 SOA Security

Integrity

Page 55: WSO2 SOA Security

NON - Repudiation

Page 56: WSO2 SOA Security

Authentication

Page 57: WSO2 SOA Security

UsernameToken

Page 58: WSO2 SOA Security

<wsse:UsernameToken wsu:Id="Example-1"><wsse:Username> ... </wsse:Username><wsse:Password

Type="..."> ... </wsse:Password><wsse:Nonce

EncodingType="..."> ... </wsse:Nonce><wsu:Created> ... </wsu:Created>

</wsse:UsernameToken>

Page 59: WSO2 SOA Security

NOBODY Can See the Message in Clear Text Other

than the Intended Recipient

Page 60: WSO2 SOA Security

NOBODY In the Middle Can ALTER the Message

Page 61: WSO2 SOA Security

Only the Authenticated Users Can Invoke the Service

Page 62: WSO2 SOA Security

Sign & Encrypt OR Encrypt & Sign

Page 63: WSO2 SOA Security

Sign & Encrypt

MessgaeSignture

Page 64: WSO2 SOA Security

XML Signature defines THREE

types of signatures

Page 65: WSO2 SOA Security

<Message>

</Message>

</Signature>

<Signature>

Page 66: WSO2 SOA Security

<Message>

</Message>

<Signature>

</Signature>

Page 67: WSO2 SOA Security

<Message>

</Message>

<Signature>

</Signature>

Page 68: WSO2 SOA Security

<Message>

</Message>

<Signature>

</Signature>

<Envelope>

</Envelope>

<Header>

</Header><Body>

</Body>

Page 69: WSO2 SOA Security

Sign & EncryptWith

WS-Security

Page 70: WSO2 SOA Security

<Message>

</Message>

<Envelope>

</Envelope>

<Body>

</Body>

1

Page 71: WSO2 SOA Security

<Message>

</Message>

<Signature>

</Signature>

<Envelope>

</Envelope>

<Header>

</Header><Body>

</Body>

2

Page 72: WSO2 SOA Security

<EncryptedData>

</EncryptedData>

<Signature>

</Signature>

<Envelope>

</Envelope>

<Header>

</Header><Body>

</Body>

3

Page 73: WSO2 SOA Security

Encrypt & SignMessgaeSignture

Page 74: WSO2 SOA Security

<Message>

</Message>

<Envelope>

</Envelope>

<Body>

</Body>

1

Page 75: WSO2 SOA Security

<EncryptedData>

</EncryptedData>

<Envelope>

</Envelope>

<Body>

</Body>

2

Page 76: WSO2 SOA Security

<EncryptedData>

</EncryptedData>

<Signature>

</Signature>

<Envelope>

</Envelope>

<Header>

</Header><Body>

</Body>

3

Page 77: WSO2 SOA Security

XML SignatureXML

EncryptionUsername

Token ProfileX.509 Token

Profile

WS - Security

Page 78: WSO2 SOA Security

DONE with My First Assignment

Page 79: WSO2 SOA Security

BUT… Paul NOT Happy

Page 80: WSO2 SOA Security

Authentication LIMITED to

INTERNAL Users ONLY

Page 81: WSO2 SOA Security

Users OUT SIDE OurDomain Need ACCESS

Page 82: WSO2 SOA Security

We DON’T Have Their Credentials

Page 83: WSO2 SOA Security

We Can’t Use UsernameToken

Page 84: WSO2 SOA Security

Delegate Authentication to the External Domain

itself

Page 85: WSO2 SOA Security

They Should Know How to Authenticate Their Own

Users

Page 86: WSO2 SOA Security

We TRUST What the External Domain Says

Page 87: WSO2 SOA Security
Page 88: WSO2 SOA Security

WS-TRUST

Page 89: WSO2 SOA Security

<s:Envelope><s:Header>

<wsa:Action>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue

</wsa:Action></s:Header><s:Body>

<wst:RequestSecurityToken><wst:TokenType>

http://example.org/mySpecialToken</wst:TokenType><wst:RequestType>

http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>

</wst:RequestSecurityToken></s:Body>

</s:Envelope>

Page 90: WSO2 SOA Security

<s:Envelope><s:Header>

<wsa:Action>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue

</wsa:Action></s:Header><s:Body>

<wst:RequestSecurityTokenResponseCollection> <wst:RequestSecurityTokenResponse>

<wst:RequestedSecurityToken><xyz:CustomToken xmlns:xyz="..."> </xyz:CustomToken>

</wst:RequestedSecurityToken> </wst:RequestSecurityTokenResponse> </wst:RequestSecurityTokenResponseCollection>

</s:Body> </s:Envelope>

Page 91: WSO2 SOA Security

XML Signature

XML Encryption

Username Token Profile

X.509 Token Profile

WS - Security

WS - Trust

Page 92: WSO2 SOA Security

Another Problem on HAND…

Page 93: WSO2 SOA Security

How Do We Communicate our Security

Requirements to Outsiders ?

Page 94: WSO2 SOA Security

The Encryption Algorithm We Use…

Page 95: WSO2 SOA Security

Key Size…

Page 96: WSO2 SOA Security

Token Types…

Page 97: WSO2 SOA Security

Elements to be Signed…

Page 98: WSO2 SOA Security

Elements to be Encrypted…

Page 99: WSO2 SOA Security

Use Symmetric Key or Asymmetric Key…

Page 100: WSO2 SOA Security

WS-Security Policy

Page 101: WSO2 SOA Security

Finally… all on the White Board…

Page 102: WSO2 SOA Security
Page 103: WSO2 SOA Security
Page 104: WSO2 SOA Security

http://wso2.com

http://wso2.com/about/contact

[email protected]

[email protected]

Page 105: WSO2 SOA Security

Thank You…!!!


SOA Governance for WS-* using RESTchariotsolutions.com/wp-content/uploads/... · SOA Governance for WS-* using REST Paul Fremantle, CTO, WSO2 ... SOA Developers can publish WSDLs

SOA Governance for WS-* using RESTchariotsolutions.com/wp-content/uploads/... · SOA Governance for WS-* using REST Paul Fremantle, CTO, WSO2 ... SOA Developers can publish WSDLs

A Proactive Strategy for Security Management at WSO2

A Proactive Strategy for Security Management at WSO2

Soa Security Testing

Soa Security Testing

Open Source Data Services for Strategic SOA utilising WSO2 Data Services Server

Open Source Data Services for Strategic SOA utilising WSO2 Data Services Server

WSO2 SOA Solution Patterns

WSO2 SOA Solution Patterns

Security Patterns with WSO2 ESB

Security Patterns with WSO2 ESB

® IBM SOA Security © IBM Corporation Total SOA Assurance- A framework for SOA Security.

® IBM SOA Security © IBM Corporation Total SOA Assurance- A framework for SOA Security.

A dynamic telecommunications soa platform a wso2

A dynamic telecommunications soa platform a wso2

WSO2Con ASIA 2016: Think Big; Start Small: Demonstrating Early Wins and Incrementally Adopting SOA Using WSO2

WSO2Con ASIA 2016: Think Big; Start Small: Demonstrating Early Wins and Incrementally Adopting SOA Using WSO2

wso2 middleware ensures alfa-bank a promising future in soa

wso2 middleware ensures alfa-bank a promising future in soa

Security Patterns with WSO2 Identity Server

Security Patterns with WSO2 Identity Server

Lifecycle Management of SOA Artifacts for WSO2 Products

Lifecycle Management of SOA Artifacts for WSO2 Products

Security Services for SOA U of T – Class ECE 1770€¦ · © 2006 IBM Corporation Security Services for SOA ... Traditional security systems don’t meet the SOA security requirements!

Security Services for SOA U of T – Class ECE 1770€¦ · © 2006 IBM Corporation Security Services for SOA ... Traditional security systems don’t meet the SOA security requirements!

A Dynamic Telecommunications SOA platform – A WSO2 and 2degrees Mobile Ltd Co-creation

A Dynamic Telecommunications SOA platform – A WSO2 and 2degrees Mobile Ltd Co-creation

[Webinar] SOA ágil con WSO2

[Webinar] SOA ágil con WSO2

WSO2 Security Platform: Vision and Roadmap

WSO2 Security Platform: Vision and Roadmap

WSO2: Bringing Cloud Computing and SOA Together

WSO2: Bringing Cloud Computing and SOA Together

OpenSource SOA con WSO2

OpenSource SOA con WSO2

Platform as a Service for Private Clouds: WSO2 Stratos · WSO2 Stratos 1.0 alpha • WSO2 Stratos is WSO2’s Platform-as-a-Service – A complete SOA and Java Development platform

Platform as a Service for Private Clouds: WSO2 Stratos · WSO2 Stratos 1.0 alpha • WSO2 Stratos is WSO2’s Platform-as-a-Service – A complete SOA and Java Development platform

grails making soa groovy - Apache Software Foundation · ... Making SOA Groovy 2 Who am I? Paul Fremantle Co-founder of WSO2 -open source SOA middleware company Member of the Apache

grails making soa groovy - Apache Software Foundation · ... Making SOA Groovy 2 Who am I? Paul Fremantle Co-founder of WSO2 -open source SOA middleware company Member of the Apache