; SOA …
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

SOA …

VIEWS: 31 PAGES: 18

  • pg 1
									Web Services Infrastructure

Overview


UNC – General Administration
Motivation
   Inter-institutional Registration System         Data transfer
       Existing UNC Students                           Transaction context
       Broker between Home and Visited                 Real-time
        campus
       Integrate with Banner/ERP                   Systems Integration over:
           Avoid manual data entry                     Disparate platforms
                                                            Windows vs. Linux
   Exam Proctoring Network                                 Banner vs. PeopleSoft
       Exam publication and distribution for               Oracle vs. MySQL
        faculty
       Students find/schedule proctors                 Different programming languages
       Integrate with Banner/ERP                        (Java vs. PHP)
           What classes are faculty teaching?
           What classes are students taking?           Broad geographic areas

                                                        Varying network topologies
     Overview
         Idea
            Define a standard way to communicate
                Using loosely coupled tools
                Over a variety of platforms/languages

         Standardization
           My View         Canonical View
           Canonical View  My View


Senders                      Receivers                   Senders               Receivers




                                                                   Canonical
                                                                   Standard
Web Services
   WSDL – Web Service Definition Language
     XML  Schema
     Defines an “interface” (contract)
       Function   definition (input, output, data types)


   SOAP – Transport Layer
     XML over HTTP
     One of many possible transport mechanisms
SOA vs. Web Service
   By analogy:
     Brick    Wall   as   Web Service  SOA

   SOA = paradigm for assembling web services into
    an efficient, reusable system.
Security
   UNC System Network Topology
       No private network
       Must use public network


   PKI – Public Key Infrastructure
       Sign & Encrypt messages (WS-Security)
       ssh – How to prevent man-in-the-middle attack?


   Solution – Use a trusted metadata service
            Overview

                                                        Programming Language (PHP)




                                                                                                                                                                                                        Programming Language (PHP)
                                                                                                                                    3. Consume Service           Port 80/443



                                                                                     SOA Framework (WS02)




                                                                                                                                                                                                                                     SOA Framework (WS02)
                                  Web Server (Apache)




                                                                                                                                                                               Web Server (Apache)
                                                                                                                                                                     PKI

               1. Initiate
                                                                                                                                    7. Return Results                                                                                                       6. Implement
                                                                                                                                                                                                                                                            Service
               9. Use                                                                                               PKI                                                                                                                                                    Banner/Oracle

Registrar




                                                                                                                  2. Find Service                              4. Verify
                                                                                                                  Provider                                     Requestor
                                                                                                                                                                                  5. Authorize
                                     8. Verify                                                                               PKI                         PKI                      Requestor
                                     Response
                                                                                                            PKI                                                                                      Authorization List
                                                                                                                    Federation –Web Service
                                                                                                                    • List of trusted entities
                                                                                                                    • Public-key repository




      PKI – Signed & Encrypted using public/private key pairs
            Overview
                                                                                                                                                                                                            Virtual Appliance



                                                        Programming Language (PHP)




                                                                                                                                                                                                        Programming Language (PHP)
                                                                                                                                    3. Consume Service           Port 80/443



                                                                                     SOA Framework (WS02)




                                                                                                                                                                                                                                     SOA Framework (WS02)
                                  Web Server (Apache)




                                                                                                                                                                               Web Server (Apache)
                                                                                                                                                                     PKI

               1. Initiate
                                                                                                                                    7. Return Results                                                                                                       6. Implement
                                                                                                                                                                                                                                                            Service
               9. Use                                                                                               PKI                                                                                                                                                    Banner/Oracle

Registrar




                                                                                                                  2. Find Service                              4. Verify
                                                                                                                  Provider                                     Requestor
                                                                                                                                                                                  5. Authorize
                                     8. Verify                                                                               PKI                         PKI                      Requestor
                                     Response
                                                                                                            PKI                                                                                      Authorization List
                                                                                                                    Federation –Web Service
                                                                                                                    • List of trusted entities
                                                                                                                    • Public-key repository




      PKI – Signed & Encrypted using public/private key pairs
Virtual Appliance
   Success of Shibboleth IDP
    Deployments
                                           Ownership Model & Responsibilities
   Idea
       GA implements once                                            Campus configures w/
       Deploys to each campus with       Application Code (PL/SQL)   assistance from GA
        VMWare
       Campus “owns”                      SOA Framework (WS02)       Just a dummy pass-
                                                                      through
         Configures within environment
         Support from GA
                                          Programming Lang (PHP)
                                                                      Campus configures
   Goal                                    Web Server (Apache)       and patches
       Efficiency
                                                                      (standard RHEL)
       Consistency                       Operating System (RHEL 5)
       Cost effectiveness
       Simplicity
Virtual Appliance: Oracle Package
  UNC-GA Web Services Framework                                Campus Managed

     Client

   Application


                                           Campus VM Server
   WS Client

                                       Oracle Package

                                                                  Campus
                                             Interface
                                                                  Interface
                                            Procedure
                                                                 Procedure
                          WS Service
                           Handler

                                            Translation
                                           Procedure(s)

     SIGNED
     AND
     ENCRYPTED



                                                              Banner
                                                              Tables


                                                                       Translation
                                                                         Tables
Services
   Inter-institutional Registration
       Get Student
         Pull core student data for approved request


       Get Course Capacity
         Determine number of open slots in a course
         Huge benefit to registrars and student


       Set Student (future)
         Push core student data and approved courses to banner for automation.
         Use existing APIs


   UNC Identity Federation
       Find Person (future)
           Enable cross-campus directory search
           Simplify application authorizations within the Shibboleth federation
                  Get a person’s “handle” when setting up application authorizations.
Services - continued
   Exam Proctoring Network
       GetStudentCourses
           Determine current courses the current student is taking

       GetFacultyCourses
           Determine which courses the faculty is currently teaching

       GetClassRoster
           Determine all students taking a course

       GetTermCourses (maybe)
           Determine the courses currently being offered in a term
           Currently, this is manually submitted via the Registrar’s Office
Technical Illustrations
 The following slides provide animations to illustrate
 how the web services federation ensures security
 during its message exchanges.

 These slides are best viewed in “Slide show” format.
     Trusted Transaction: Setup

              Client Entity                                                          Service Definition                                                                    Service Entity
                                                                                         WSDL/SOAP




                                                  Web Server (Apache, IIS, Tomcat)




                                                                                                               Web Server (Apache, IIS, Tomcat)
                                  SOA Framework




                                                                                                                                                  SOA Framework
 Prog Lang (Java, PHP, etc)                                                                                                                                                    Prog Lang (Java, PHP, etc)

PrivkeyCE   CertCE     CertF                                                                                  PrivkeySE                                           CertSE     CertF



                                                  Federation: Trust Fabric Metadata
                               <ServiceEntity>
                                  <x509Certificate>                                       CertSE
                                  <wsdl>                                                                                             CertF
                               </ServiceEntity>
                                                                                                               PrivkeyF
                               <ClientEntity>
                                  <x509Certificate>                                       CertCE
                               </ClientEntity>                                                            Sign(PrivkeyF)
       Trusted Transaction: Request

              Client Entity                                                               Service Definition                                                                     Service Entity
                                                                                               WSDL/SOAP




                                                    Web Server (Apache, IIS, Tomcat)




                                                                                                                     Web Server (Apache, IIS, Tomcat)
  1.   Get Metadata
  2.   Verify Signature
  3.   Create Request                                                                  Request PrivkeyCE CertSE


                                    SOA Framework




                                                                                                                                                        SOA Framework
  4.   Sign Request
  5.   Encrypt Request

       ... wait for response …




 Prog Lang (Java, PHP, etc)                                                                                                                                                          Prog Lang (Java, PHP, etc)
                                                                                                          Details
PrivkeyCE   CertCE     CertF                                                                                        PrivkeySE                                           CertSE     CertF
                                                                                                          $metadata = download()

                                                              if Metadata
                                        Federation: Trust Fabric(verify_signature($metadata, CertF ))
                                                                  $wsdl = extract_wsdl($metadata);
                                 <ServiceEntity>                   CertSE = extract_cert($metadata);
                                    <x509Certificate> CertSE
                                                                   Request = create_request($wsdl,$param1, … etc)
                                                                            CertF
                                    <wsdl>
                                 </ServiceEntity>                 sign_encrypt_send( Request , PrivkeyCE , CertSE );
                                 <ClientEntity>                   … wait for response …
                                                                           PrivkeyF
                                    <x509Certificate> CertCE else
                                 </ClientEntity>                     Sign(Privkey
                                                                  display error F)
                                                              end if
       Trusted Transaction: Respond

              Client Entity                                                                Service Definition                                                                        Service Entity
                                                                                                WSDL/SOAP




                                                     Web Server (Apache, IIS, Tomcat)




                                                                                                                        Web Server (Apache, IIS, Tomcat)
  1.   Get Metadata
                                                                                                                                                                           6.       Get Metadata
  2.   Verify Signature
                                                                                                                                                                           7.       Verify Signature
  3.   Create Request                                                                   Request PrivkeyCE CertSE
                                                                                                                                                                           8.       Decrypt request

                                     SOA Framework




                                                                                                                                                           SOA Framework
  4.   Sign Request
                                                                                                                                                                           9.       Verify request Signature
  5.   Encrypt Request
                                                                                          CertCE PrivkeySE Response                                                        10.      Implement / Create Response
                                                                                                                                                                           11.      Sign Response
       …. wait for response …
                                                                                                                                                                           12.      Encrypt Response




Details
 Prog Lang (Java, PHP, etc)                                                                                                                                                               Prog Lang (Java, PHP, etc)

$metadata = download()
Privkey Cert    Cert                                                                                                   PrivkeySE                                           CertSE       CertF
       CE       CE            F


if (verify_signature($metadata, Request ))
                                        Federation: Trust Fabric Metadata
     Request = decrypt( Request , PrivkeySE );
       CertCE = extract_cert($metadata);
                                 <ServiceEntity>
      if (verify_signature( Request , CertCE )
                                     <x509Certificate> CertSE
            Response = implement($param1 … );                            CertF
                                     <wsdl>
            sign_encrypt_send( Response , PrivkeySE , CertCE );
                                 </ServiceEntity>
      end if                     <ClientEntity>                         PrivkeyF
end if                               <x509Certificate> CertCE
                                  </ClientEntity>                                                                  Sign(PrivkeyF)
        Trusted Transaction: Utilize

              Client Entity                                                               Service Definition                                                                     Service Entity
                                                                                               WSDL/SOAP




                                                    Web Server (Apache, IIS, Tomcat)




                                                                                                                       Web Server (Apache, IIS, Tomcat)
  1.    Get Metadata
                                                                                                                                                                          6.    Get Metadata
  2.    Verify Signature
                                                                                                                                                                          7.    Verify Signature
  3.    Create Request                                                                 Request PrivkeyCE CertSE
                                                                                                                                                                          8.    Decrypt request

                                    SOA Framework




                                                                                                                                                          SOA Framework
  4.    Sign Request
                                                                                                                                                                          9.    Verify request
  5.    Encrypt Request
                                                                                         CertCE PrivkeySE Response                                                        10.   Implement / Create Response
                                                                                                                                                                          11.   Sign Response
        …. wait for response …
                                                                                                                                                                          12.   Encrypt Response
  13.   Decrypt response
  14.   Verify signature
  15.   Use the data

 Prog Lang (Java, PHP, etc)                                                                                                                                                           Prog Lang (Java, PHP, etc)
                                                                                                          Details
PrivkeyCE   CertCE     CertF                                                                                          PrivkeySE                                           CertSE   CertF
                                                                                                          Response   = decrypt(                                            Response , PrivkeyCE     );

                                                              if Metadata
                                        Federation: Trust Fabric(verify_signature( Response ,                                                                                         CertSE   ))
                                                                   … use the data …
                                 <ServiceEntity>
                                                              else
                                    <x509Certificate> CertSE
                                    <wsdl>                        display errorF
                                                                           Cert
                                 </ServiceEntity>             end if
                                                                                                                       PrivkeyF
                                 <ClientEntity>
                                    <x509Certificate>                                            CertCE
                                 </ClientEntity>                                                                  Sign(PrivkeyF)
        Trusted Transaction: Architecture

              Client Entity                                                               Service Definition                                                                        Service Entity
                                                                                               WSDL/SOAP




                                                    Web Server (Apache, IIS, Tomcat)




                                                                                                                       Web Server (Apache, IIS, Tomcat)
  1.    Get Metadata
                                                                                                                                                                          6.       Get Metadata
  2.    Verify Signature
                                                                                                                                                                          7.       Verify Signature
  3.    Create Request                                                                 Request PrivkeyCE CertSE
                                                                                                                                                                          8.       Decrypt request

                                    SOA Framework




                                                                                                                                                          SOA Framework
  4.    Sign Request
                                                                                                                                                                          9.       Verify request
  5.    Encrypt Request
                                                                                         CertCE PrivkeySE Response                                                        10.      Implement / Create Response
                                                                                                                                                                          11.      Sign Response
        …. wait for response …
                                                                                                                                                                          12.      Encrypt Response
  13.   Decrypt Response
  14.   Verify signature
  15.   Use the data

 Prog Lang (Java, PHP, etc)                                                                                                                                                              Prog Lang (Java, PHP, etc)

PrivkeyCE   CertCE     CertF                                                                                          PrivkeySE                                           CertSE       CertF



                                                    Federation: Trust Fabric Metadata
                                 <ServiceEntity>
                                    <x509Certificate>                                            CertSE
                                    <wsdl>                                                                                                   CertF
                                 </ServiceEntity>
                                                                                                                       PrivkeyF
                                 <ClientEntity>
                                    <x509Certificate>                                            CertCE
                                 </ClientEntity>                                                                  Sign(PrivkeyF)

								
To top
;