Sun and Layer 7
Identity-Driven SOA Governance
< Platform-independent XML/Web services are often the cornerstone of business application
integration and Service Oriented Architecture (SOA) development. When these services
and business processes traverse multiple, heterogeneous back-end systems and infra-
structure, providing reliable security while maintaining performance is an enormous
challenge. Sun and Layer 7 Technologies remove this obstacle by combining Layer 7 SecureSpan SOA
appliances (delivered on Sun Fire X4100 servers) with the Sun Java Composite Application Platform
Suite (Java CAPS) and Java Identity Management Suite, to create a seamless path from SOA design
to composition to secure management.
SOA identity and security challenges • Implement and intermediate various XML,
Identity is at the heart of SOA security, driving WS*, W3C SAML, and WS-I security standards.
authentication and authorization decisions for • Filter, extract or redact confidential infor-
all client-service interactions. The ability to mation entering or leaving an organization.
validate identity is also central to enforcing • Assure endpoint availability and perform-
Highlights transactional integrity, message privacy and ance through effective communication
accountability policies. However, defining and optimization, cluster management and
• SOA security appliance providing
Black Pantone 431 Pantone 1797
enforcing identity-based security policies in an SLA enforcement.
centralized policy enforcement for
SOA is complicated. Machine identities for
identity-driven SOA operations,
client applications must be reposited within High-performance SOA identity,
and protection against malicious
a centrally accessible directory. security solutions
or accidental attack.
The SecureSpan XML Networking Gateway is
• Facilitates client authentication, Services must be able to: a SOA security hardware or virtual software
service-level authorization, message
• Extract identity information from credentials appliance that provides SOA architects a
privacy and transaction integrity
passed to them inside a Web service’s centralized policy enforcement point for
SOAP message identity-driven SOA security operations,
• Offers hardware acceleration of • Validate those credentials against a including client authentication, service level
XML parsing, validation and trans- authorization, message privacy and transaction
centralized identity directory
formation for fast policy execution.
• Enforce an identity-centric security policy integrity validation. The SecureSpan XML
• Assures high service availability like authentication. Networking Gateway integrates with Sun Java
and reliability through clustering, System Access Manager such that an existing
Web service virtualization and SLA In many instances, there is also a requirement access policy can be reused for SOA. It can also
to transpose messages or generate new security be deployed as a proxy to Java CAPS to ensure
• Easy-to-configure administrator tokens (e.g. SAML) for secure, interoperable centralized policy enforcement for all commu-
options for encryption/decryption, communication with back-end services. nication entering or leaving a Java CAPS-enabled
signature and WS* security policies. SOA environment.
• Integration with Sun Java Identity In addition to identity-based access, privacy,
Management Suite and Composite integrity and accounting policies, SOA security The hardware version of the Layer 7 XML
Application Platform Suite solutions must also: Networking Gateway offers hardware accelera-
(Java CAPS). • Protect back-end Web services against tion of XML parsing, validation and transfor-
attack and exploit, either malicious (DoS, mation for fast message processing of identity
replay, parser exploit, ..) or accidental and content. It also comes with optional FIPS-
(malformed XML, invalid data, …). compliant crypto acceleration for accelerated
SSL, WS-Security and signing operations for
XML or SAML.
2 Sun and Layer 7 sun.com
For identity-centric privacy and integrity opera- federation. Layer 7’s SecureSpan XML VPN
tion, the SecureSpan XML Networking Gateway client is a software or hardware proxy that can
For a free trial of the Layer 7 XML
provides administrators an array of easy-to- be deployed on or in front of SOA clients to
configure options for defining channel, message request, cache and embed tokens into a client-
and element encryption/decryption and signing/ side SOAP call without any client-side coding.
signature validation policy. The XML Networking The SecureSpan XML VPN client also ensures page.html?id=82
Gateway can also be configured to delegate that all outbound SOAP messages automati-
authentication and authorization decisions to cally conform to policy settings defined on a For more information visit sun.com/layer7
Sun Java Access manager. All operations are Web service, as well as the latest WS* and WS-I http://www.layer7tech.com, or contact
available for both inbound and outbound traffic. standards. The SecureSpan XML VPN client your local Sun representative.
Public Key Interface (PKI) for the cryptographic automatically embeds sequence numbers and
operations can be implemented using the optionally time stamps to ensure any message 1-800-681-9377
SecureSpan XML Networking Gateway’s on- transmitted from the client to a Web service is firstname.lastname@example.org
board Certificate Authority or a third-party non-reputable.
certificate authority. For implementations using
the hardware XML Networking Gateway with For B2B and Extranet applications, the XML VPN Sun and Layer 7
on-board crypto acceleration, a centralized client can also be deployed alongside Java CAPS Layer 7 Technologies markets a family of
hardware HSM key store is also included. to deliver simple partner on-boarding. Services XML appliances (delivered on Sun x64 systems)
exposed through Java CAPS can be extended to and software to secure, simplify and scale Web
In addition to securing identity-based SOA external business units and companies without services and SOA. Modern service-oriented
operations, the SecureSpan XML Networking complex coding and testing. application integration models and Web-
Gateway offers extensive threat, WS* and oriented application delivery models depend
service assurance features including: Security as SOA governance foundation on effectively addressing the performance,
• Configurable protections against service All production Web services require policies to security, complexity, reliability and availability
communication, API and application attacks, define security expectations and preferences. issues inherent in sharing Web services with
including integration with leading virus These security settings can be hard-coded into a other applications. Layer 7 Technologies there-
scanners service’s business logic, but at a significant cost fore aims to provide the essential application-
• Extensive support for key Web service in programming, testing, change management oriented security and networking infrastructure
security standards, including WS-Security, and flexibility. For services provisioned and to enable Service-oriented and Web-oriented
WS-SecureConversation, WS-Trust, WS- composed using Java CAPS, the Layer 7 XML architectures (i.e. SOA and Web 2.0) that are
SecurityPolicy, WS-Policy, WS-I and SAML Networking Gateway offers a flexible, scalable central to the next wave of Internet and soft-
• Broad content filtering and processing options and consistent way to implement, change and ware innovation.
for XML, SOAP, RSS and REST- based messaging audit security policies without coding.
• Advanced service virtualization, QoS and Layer 7 Technologies interacts with Sun Java
SLA operations for assuring maximal service However, the Layer 7 XML Networking Gateway Composite Application Platform Suite and Java
availability and responsiveness can also be used to define and enforce any Identity Management Suite to add a layer of
WS-Policy- compliant SOA governance policy SOA governance controls without compromising
SOA single sign-on and federation including preferences for routing, SLA and QoS. performance or flexibility.
Unlike the Web, SOA has no client-side browser The XML Networking Gateway can therefore be
analogue to cache session or federation tokens used as a general platform for centrally config-
generated by products like Java System Access uring and enforcing SOA policies.
Manager or Java System Federation Manager,
complicating Single Sign-on (SSO) and identity
Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 USA Phone 1-650-960-1300 or 1-800-555-9SUN Web sun.com
© 2008 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, the Sun Logo and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.
SunWIN#: 528778 Lit.#: SWDS14071-0 03/08