Web Services Infrastructure
Overview
UNC – General Administration
Motivation
Inter-institutional Registration System Data transfer
Existing UNC Students Transaction context
Broker between Home and Visited Real-time
campus
Integrate with Banner/ERP Systems Integration over:
Avoid manual data entry Disparate platforms
Windows vs. Linux
Exam Proctoring Network Banner vs. PeopleSoft
Exam publication and distribution for Oracle vs. MySQL
faculty
Students find/schedule proctors Different programming languages
Integrate with Banner/ERP (Java vs. PHP)
What classes are faculty teaching?
What classes are students taking? Broad geographic areas
Varying network topologies
Overview
Idea
Define a standard way to communicate
Using loosely coupled tools
Over a variety of platforms/languages
Standardization
My View Canonical View
Canonical View My View
Senders Receivers Senders Receivers
Canonical
Standard
Web Services
WSDL – Web Service Definition Language
XML Schema
Defines an “interface” (contract)
Function definition (input, output, data types)
SOAP – Transport Layer
XML over HTTP
One of many possible transport mechanisms
SOA vs. Web Service
By analogy:
Brick Wall as Web Service SOA
SOA = paradigm for assembling web services into
an efficient, reusable system.
Security
UNC System Network Topology
No private network
Must use public network
PKI – Public Key Infrastructure
Sign & Encrypt messages (WS-Security)
ssh – How to prevent man-in-the-middle attack?
Solution – Use a trusted metadata service
Overview
Programming Language (PHP)
Programming Language (PHP)
3. Consume Service Port 80/443
SOA Framework (WS02)
SOA Framework (WS02)
Web Server (Apache)
Web Server (Apache)
PKI
1. Initiate
7. Return Results 6. Implement
Service
9. Use PKI Banner/Oracle
Registrar
2. Find Service 4. Verify
Provider Requestor
5. Authorize
8. Verify PKI PKI Requestor
Response
PKI Authorization List
Federation –Web Service
• List of trusted entities
• Public-key repository
PKI – Signed & Encrypted using public/private key pairs
Overview
Virtual Appliance
Programming Language (PHP)
Programming Language (PHP)
3. Consume Service Port 80/443
SOA Framework (WS02)
SOA Framework (WS02)
Web Server (Apache)
Web Server (Apache)
PKI
1. Initiate
7. Return Results 6. Implement
Service
9. Use PKI Banner/Oracle
Registrar
2. Find Service 4. Verify
Provider Requestor
5. Authorize
8. Verify PKI PKI Requestor
Response
PKI Authorization List
Federation –Web Service
• List of trusted entities
• Public-key repository
PKI – Signed & Encrypted using public/private key pairs
Virtual Appliance
Success of Shibboleth IDP
Deployments
Ownership Model & Responsibilities
Idea
GA implements once Campus configures w/
Deploys to each campus with Application Code (PL/SQL) assistance from GA
VMWare
Campus “owns” SOA Framework (WS02) Just a dummy pass-
through
Configures within environment
Support from GA
Programming Lang (PHP)
Campus configures
Goal Web Server (Apache) and patches
Efficiency
(standard RHEL)
Consistency Operating System (RHEL 5)
Cost effectiveness
Simplicity
Virtual Appliance: Oracle Package
UNC-GA Web Services Framework Campus Managed
Client
Application
Campus VM Server
WS Client
Oracle Package
Campus
Interface
Interface
Procedure
Procedure
WS Service
Handler
Translation
Procedure(s)
SIGNED
AND
ENCRYPTED
Banner
Tables
Translation
Tables
Services
Inter-institutional Registration
Get Student
Pull core student data for approved request
Get Course Capacity
Determine number of open slots in a course
Huge benefit to registrars and student
Set Student (future)
Push core student data and approved courses to banner for automation.
Use existing APIs
UNC Identity Federation
Find Person (future)
Enable cross-campus directory search
Simplify application authorizations within the Shibboleth federation
Get a person’s “handle” when setting up application authorizations.
Services - continued
Exam Proctoring Network
GetStudentCourses
Determine current courses the current student is taking
GetFacultyCourses
Determine which courses the faculty is currently teaching
GetClassRoster
Determine all students taking a course
GetTermCourses (maybe)
Determine the courses currently being offered in a term
Currently, this is manually submitted via the Registrar’s Office
Technical Illustrations
The following slides provide animations to illustrate
how the web services federation ensures security
during its message exchanges.
These slides are best viewed in “Slide show” format.
Trusted Transaction: Setup
Client Entity Service Definition Service Entity
WSDL/SOAP
Web Server (Apache, IIS, Tomcat)
Web Server (Apache, IIS, Tomcat)
SOA Framework
SOA Framework
Prog Lang (Java, PHP, etc) Prog Lang (Java, PHP, etc)
PrivkeyCE CertCE CertF PrivkeySE CertSE CertF
Federation: Trust Fabric Metadata
CertSE
CertF
PrivkeyF
CertCE
Sign(PrivkeyF)
Trusted Transaction: Request
Client Entity Service Definition Service Entity
WSDL/SOAP
Web Server (Apache, IIS, Tomcat)
Web Server (Apache, IIS, Tomcat)
1. Get Metadata
2. Verify Signature
3. Create Request Request PrivkeyCE CertSE
SOA Framework
SOA Framework
4. Sign Request
5. Encrypt Request
... wait for response …
Prog Lang (Java, PHP, etc) Prog Lang (Java, PHP, etc)
Details
PrivkeyCE CertCE CertF PrivkeySE CertSE CertF
$metadata = download()
if Metadata
Federation: Trust Fabric(verify_signature($metadata, CertF ))
$wsdl = extract_wsdl($metadata);
CertSE = extract_cert($metadata);
CertSE
Request = create_request($wsdl,$param1, … etc)
CertF
sign_encrypt_send( Request , PrivkeyCE , CertSE );
… wait for response …
PrivkeyF
CertCE else
Sign(Privkey
display error F)
end if
Trusted Transaction: Respond
Client Entity Service Definition Service Entity
WSDL/SOAP
Web Server (Apache, IIS, Tomcat)
Web Server (Apache, IIS, Tomcat)
1. Get Metadata
6. Get Metadata
2. Verify Signature
7. Verify Signature
3. Create Request Request PrivkeyCE CertSE
8. Decrypt request
SOA Framework
SOA Framework
4. Sign Request
9. Verify request Signature
5. Encrypt Request
CertCE PrivkeySE Response 10. Implement / Create Response
11. Sign Response
…. wait for response …
12. Encrypt Response
Details
Prog Lang (Java, PHP, etc) Prog Lang (Java, PHP, etc)
$metadata = download()
Privkey Cert Cert PrivkeySE CertSE CertF
CE CE F
if (verify_signature($metadata, Request ))
Federation: Trust Fabric Metadata
Request = decrypt( Request , PrivkeySE );
CertCE = extract_cert($metadata);
if (verify_signature( Request , CertCE )
CertSE
Response = implement($param1 … ); CertF
sign_encrypt_send( Response , PrivkeySE , CertCE );
end if PrivkeyF
end if CertCE
Sign(PrivkeyF)
Trusted Transaction: Utilize
Client Entity Service Definition Service Entity
WSDL/SOAP
Web Server (Apache, IIS, Tomcat)
Web Server (Apache, IIS, Tomcat)
1. Get Metadata
6. Get Metadata
2. Verify Signature
7. Verify Signature
3. Create Request Request PrivkeyCE CertSE
8. Decrypt request
SOA Framework
SOA Framework
4. Sign Request
9. Verify request
5. Encrypt Request
CertCE PrivkeySE Response 10. Implement / Create Response
11. Sign Response
…. wait for response …
12. Encrypt Response
13. Decrypt response
14. Verify signature
15. Use the data
Prog Lang (Java, PHP, etc) Prog Lang (Java, PHP, etc)
Details
PrivkeyCE CertCE CertF PrivkeySE CertSE CertF
Response = decrypt( Response , PrivkeyCE );
if Metadata
Federation: Trust Fabric(verify_signature( Response , CertSE ))
… use the data …
else
CertSE
display errorF
Cert
end if
PrivkeyF
CertCE
Sign(PrivkeyF)
Trusted Transaction: Architecture
Client Entity Service Definition Service Entity
WSDL/SOAP
Web Server (Apache, IIS, Tomcat)
Web Server (Apache, IIS, Tomcat)
1. Get Metadata
6. Get Metadata
2. Verify Signature
7. Verify Signature
3. Create Request Request PrivkeyCE CertSE
8. Decrypt request
SOA Framework
SOA Framework
4. Sign Request
9. Verify request
5. Encrypt Request
CertCE PrivkeySE Response 10. Implement / Create Response
11. Sign Response
…. wait for response …
12. Encrypt Response
13. Decrypt Response
14. Verify signature
15. Use the data
Prog Lang (Java, PHP, etc) Prog Lang (Java, PHP, etc)
PrivkeyCE CertCE CertF PrivkeySE CertSE CertF
Federation: Trust Fabric Metadata
CertSE
CertF
PrivkeyF
CertCE
Sign(PrivkeyF)