Java CAPS Secure SOA by klutzfu63

VIEWS: 118 PAGES: 42

									Java CAPS Secure SOA
September 2008

Igor Mameshin
Security Challenges – Domain Restrictions
• Federation
    > Federated Identity and User Privacy
• SSO for Web sites, identity based Web services
• Insider Threats
• Outsider Threats
    > XML Attacks
•   Interoperability
•   Multi-Level-Security (MLS)
•   Governance, Compliance, Auditing
•   Information filtering (role specific view, data masking)
                                Sun Proprietary                2
 Security Pre-SOA: Silo-ed / Ad Hoc Trust?
                                                                                                  Policy / Control?
                          NO                  Order                                     Accounts  Audit?
                                                                                       Management Integrity?
        Scheduling       SSO!               Processing

      Check                               Check                                     Calculate
  Customer Status                     Customer StatusL                          Shipping Charges
  Determine Product                                   o
                                      Determine Product                           Order Status
     Availability                        Availability g                                               Monolithic
                                           Verify                                    Verify           Applications
                                      Customer Credit                           Customer Credit
                     t                          auth
                  ar          aut                   z auth

                                        Order Status

            NO LOG                    LOG                                                          NO LOG
LOG                      NO LOG                                           LOG
    l                                                                                                 Data
 Custom         AS400        Oracle         SAP           Red Prairie       Another        External
Marketing        Sales        CRM         Finance         Warehouse         Business       Trading
 System         System       System                     Mgmt.
                                          System Sun Proprietary System       Unit         Partner             3
Secure SOA: Refactored & Standardized Security

             Field      Trusted token            Order                                  Accounts
            Service         SSO                Processing                              Management
                        Secure Conv                                                                       Composite

                          Authorization                                                   Check             Check
  Authentication                           Trusted Token                                Inventory       Customer Status

                            Signature       Credential
   Encryption                              Management                                     Check
                                                                                       Order Status      Check Credit

    Provisioning              Federation     Logging               Audit                   Create
                                                                                          Invoice         Application
    Centralized Security and Infrastructure Services /                                                    Services

Identity         Policy            Key       Service            Log         Another          External
                                                                            Business         Trading
Stores            Stores          Stores                        Stores
                                            Repository Proprietary
                                                     Sun                      Unit           Partner                4
Secure SOA Defined
Secure SOA is an approach to implement SOA which by design
ensures trust throughout the SOA ecosystem (including services,
consumers, composite applications and infrastructure) by addressing
some or all of the following security aspects:
•   Authentication
•   Authorization
•   Integrity
•   Confidentiality
•   Accountability (monitoring, logging, audit, non-repudiation)
•   Identity (federation, provisioning, trust brokering)
•   Security Policies

Secure SOA is best viewed as a specific case of Governed SOA.
                                       Sun Proprietary                5
Implement Identity Based Services
• Federated Access Manager 8 (FAM) - provides ability to login into Web
  application/portal once, and to have access to the network of systems (SSO)
• FAM – provides identity of the user who origininated a business transaction
  to all services
• FAM - implements Secure Token Server (STS), which is responsible for
  generating SAML Tokens. Uses JSR-196 Security Providers on Application
  Server to: secure the SOAP message generated by the Web Services Client;
  and validate the SOAP message at the Web Services Provider.
• Identity Manager (IDM) - provision users into LDAP, provision user
  attributes such as group memberships, security clearance, and military rank.
• Layer 7 SSG - implements authorization for applications to invoke Web
  services, implements information visibility, service governance, audit,
  monitoring and management.
• Java CAPS – implements enerprise services and business processes.

                                    Sun Proprietary                              6
Security Architecture Patterns
        Point-to-Point (Security inside Web service)
        • Low reuse
        • Complex and inflexible development
        • Technology dependent, platform dependent
        • Re-engineering is required to implement new standards
        Intercepting Agent (Security inside J2EE Container)
        • Application server and API dependant
        • Not loosely coupled
        XML Gateway / SOA Governance Gateway / Service Gateway
        • Truly loosely-coupled
        • Service, container, and technology independent
        • Easily adopts to new standards
        • Gateway and Agent models provide centralized management and reporting,
          with the ability to make global changes for multiple Web services. This
                                 Sun Proprietary
          functionality must be custom-built if platform-specific solutions are written.
Security Architecture Patterns
• Point-to-Point (Security inside Web service)
   > Can be implemented on transport level using HTTPS/SSL
   > Application code includes security code that implements security for service
     consumers and providers
   > Implemented through hooks: JAXWS handlers, JSR196 callbacks, Axis handlers
• Intercepting Agent (Security inside J2EE Container)
   > Protects services through a Web Agent that intercepts requests at the Web
     Container and provides authentication, authorization, encryption, and auditing
   > Enforced at endpoint with an agent such as Access Manager J2EE Policy Agent
• XML Gateway / SOA Governance Gateway / Service Proxy
   > Provides a single entry point and allows centralization of security enforcement for
     incoming and outgoing messages. It helps to implement security policies and to
     apply transport-level and message-level securit.
   > Enforced at hardware appliances, standalone software, or JBI aspects
   > Aspects help to encapsulate cross-cutting expressions in one place. Aspects can
     alter the behavior of the non-aspect parts of a software application.
                                        Sun Proprietary                                    8
                                                                                                       User Repository
Secure SOA Architecture                                                                                Data Repository

                                                                          SSO Session
           Web GUI                                                         Authorization
                                                                        Policy Enforcement
      Service Consumer                                                      Federation
                                                   Token                                                  Provisioning

                                                                                                         Identity Sync

                                                                                                        Password Sync
                                                                                                        Admin Policies

                                              Service Registry
                                                Repository                                      Identity
      Service Gateway                                                                           Manager

         AM Client SDK                       Authentication Assertion


                                                     Enterprise Service Bus

                                                                                             Service           Service
 Business process        Enterprise Service          Service

                                     MySQL             MySQL             Sun Proprietary      MySQL                      9
Products Selection
          Production                         Open Source

Solaris OS 10 u5
Java CAPS 6
Directory Server 6.3
Identity Manager 7.1
MySQL DataBase 5.0
Application Server 9.1
Federated Access Manager 8.0
Layer 7 SSG Gateway

                           Sun Proprietary                 10
Tango / JAX-WS / Metro
• Project Tango develops and evolves the codebase for
  Web Services Interoperability Technologies (WSIT).
  Includes XWSS 3.0.
• Tango + JAX-WS + JAXB system is known as the Metro
  Web Services stack
  > Leverages existing technologies (JAXB, SAAJ, Woodstox, XML
    stream buffer)
  > Implements the JAX-WS 2.0 API (JSR 224)
  > Extensible transport support (HTTP, SOAP/TCP, MTOM and
    XOP, SMTP, sample JMS)
  > Adds Reliability, Transactions and of course Security

                            Sun Proprietary                      11
Web Service Security in Metro 1.0
• Security in Metro 1.0 is based on the following security
  related Specifications and Standards :
  >   WS-Security Core Specification 1.1
  >   Username Token Profile 1.1
  >   X.509 Token Profile 1.1
  >   SAML Token profile 1.1
• The Security Requirements and Capabalities of a
  WebService in Metro are expressed using WS-
  SecurityPolicy. Interoperability is achieved by the use of
  WS-Security standard, as well as WS-I, WS-I BSP.
• NetBeans and its WSIT Plugin allow to define
  configuration or profiles through UI Screens.
                                Sun Proprietary                12
Web Service Security in Metro 1.0
• Current Limitations of XWSS 3.0
  > No support for Caching of Nonces and Replay Detection as
    outlined in WSS specifications. This was supported in XWSS
    2.0 later the feature was disabled.
  > No support for Securing Attachments as defined by WSS SOAP
    With Attachements Profile 1.1. This was supported in XWSS
    2.0 later the feature was disabled.
  > The only practical way to configure is through design-time
    Netbeans JAXWS profiles
• JSR 196 CallbackHandler allows to implement custom

                             Sun Proprietary                     13
Tango / WSIT / Metro
• Pros:
  > Point-and-click client and server support
  > Supports specifications (WS-Security, WS-Trust, WS-Policy,
    WS-Secure Conversation, WS-Security Policy)
  > .NET interoperability
• Cons:
  > Packaging-time decisions:
     – one policy per service
     – point-to-point solution
  > Limited to GlassFish, Tomcat, NetBeans
  > Can only support newly developed services
  > Non-extendable (e.g. custom mechanisms, tokens, etc)
                              Sun Proprietary                    14
Access Manager Features
• User session management & Single Sign-On for Web
• User authentication: LDAP, Active Directory, certificate
• Authorization and Policy Service: resources, rules,
• Identity Federation: SAML, ID-WSF
• Logging: file, database, secure logging
• Pluggable J2EE Policy Agents prevent unauthorized
  access to web content and web services
• AM Client SDK can be used for making dynamic, runtime-
  based access control decisions
                           Sun Proprietary                   15
Federated Access Manager
• Fulfills the requirements for Message Level Security and
  Identity Federation
• FAM instances host the Secure Token Server (STS),
  which is responsible for generating SAML Tokens, and
  securing the SOAP message generated by the Web
  Services Client
• FAM instances are also configured as trusted entities to
  enable Identity Federation

                           Sun Proprietary                   16
FAM Architecture

                   Sun Proprietary   17
Requirements for Web Services Security
• Identify the Principal
  > WS-Security, WS-I Basic Security Profile
  > Liberty ID-WSF Security Mechanisms
• Preserve the Identity
  > Across multiple “hops”
  > Across domain boundaries
• Maintaining privacy and integrity
• Using existing technologies & idioms
• Audit

                               Sun Proprietary   18
Federated Access Manager and Web Services
• Problem:
  > How do I support web services for my web                WSS Agent
     applications in various containers when it is          FAM clientsdk        4
     handled differently from container to container?
                                                                Web Service
• What It Does?                                       SOAP
  > Provides an agent that can be deployed in         (WSS) 3            5
    containers for consuming, processing and                                     2        FAM Server
    transforming security tokens including SAML
                                                            WSS Agent
  > Abstracts security from the application.
                                                                FAM clientsdk
  > WSS Agent allows standardization on security
    across multiple containers (e.g. Sun, IBM, BEA              Web Service
    etc.)                                                         Client
      – Implements container's authentication SPI (JSR
        196)                                                            1       Request
      – Secures SOAP request and validates SOAP
        response at WSC.
      – Validates SOAP request and secures SOAP
        response at WSP.                 Sun Proprietary                                         19
Web Services Security Agent
(Authentication Provider)
• Protects Web Service communication between WSC
  and WSP
• Implements container's Authentication SPI (JSR 196
• Plugged into container
• Secures SOAP request and Validates SOAP
  response at WSC
• Validates SOAP request and Secures SOAP
  response at WSP
• Configured per WSC and WSP

                         Sun Proprietary               20
Securing a SOAP Request

                Sun Proprietary   21
Verification and Response

                 Sun Proprietary   22
Secure Token Service
• Problem:
  > How does the Web service verify the
    credentials presented by the client?
• How It Works                                    SOAP
                                                              Web Service
  > An authenticated client requests token                                  Issue
                                                          3                 Token
    needed to access web service provider.                                  (WS-
  > The STS verifies the credentials presented                              Trust)
    by the client, and then in response, it issues
    a security token that provides proof that the
    client has authenticated with the STS.
                                                              Web Service            Security
  > The client presents the WS-I BSP based                      Client                Token
    security token(User Name, X.509, SAML                            1
    etc.) to the Web service.                                               est
  > The Web service verifies that the token was
    issued by a trusted STS, which proves that
    the client has successfully authenticated
    with the STS.                    Sun Proprietary                                        23
Sequence Flow - STS

                Sun Proprietary   24
STS Architecture

                   Sun Proprietary   25
Layer 7: SecureSpan XML Appliances
• Family of gateways in appliance and S/W only form
• Provide acceleration, validation, security, federation,
  routing, protocol mediation, load balancing, SLAs,
  logging, light monitoring and throttling and some run-time
• Not limited to Web Services (also supports Web 2.0,
• High performance and scalability
• Very strong standard support
• Easy to use and integrate with CAPS
• Willing to modify their product to meet customer needs
                            Sun Proprietary                    26
Layer 7: SecureSpan XML Appliances
•   Application Oriented Networking and XML routing
•   Service virtualization
•   Centralized SLA enforcement
•   Transport and protocol mediation
•   Runtime enforcement of SOA governance policies

                            Sun Proprietary           27
Layer 7: SecureSpan Manager

                Sun Proprietary   28
Federated Identity Aware
Trusted Services (FIATS) Demo

WSS Implementation
FIATS Demo: WSS Requirements
• Two simulated Security Domains – Navy and CoastGuard
• Navy domain hosts the Command and Control (C2) app
• C2 App invokes multiple Web Services through an
• Navy domain hosts the AuthN Layer and the STS layer
• Users are Authenticated by the FAM AuthN layer
• STS secures and signs all resulting SOAP messages
  from Web Service requests
• JSR 196 Security Providers used to intercept Servlet calls
  and SOAP messages; GlassFish container
                            Sun Proprietary                    30
FIATS Demo: WSS Requirements
• STS generates SAML Token to “Identity enable” the Web
• SAML Token contains a set of Attribute statements
• The Attribute statements are used by L7 SSG to make
  Authorization decisions
• SAML Post Profile Federation in-place to federate users
  from Navy to CoastGuard domain
• SAML assertion generated by the Navy IDP contains the
  Attribute Statements required for AuthZ decisions
• Navy domain STS is used to secure SOAP messages

                          Sun Proprietary                   31
FIATS Demo: FAM Architecture

                 Sun Proprietary   32
Configure FAMServerProvider

                Sun Proprietary   33
Configure FAM Attribute Mapper
• Attribute mapping provides a way to insert attribute
  statements in SAML Assertions, using which
  Authorization decisions are made
• Attributes are mapped using the mapper in WSC and
  WSP configurations in FAM
• The mapped attributes need to be a part of the IdRepo
  set of attributes
• Following attributes mapped for FIATS demo
  > Group
  > Security Clearance
  > Rank

                          Sun Proprietary                 34
Configure FAM Attribute Mapper

                 Sun Proprietary   35
Layer 7 SecureSpan Gateway (SSG)
• Sun has a partnership with Layer 7 for SOA security,
  policy management, and operational governance
• SSG is an XML Firewall and service gateway designed to
  protect Web Services and enforce service policies.
  Supports HTTP(s), FTP(S), JMS endpoints
• Available in one of two form factors
  > As a 64-bit ASIC-accelerated hardware appliance
  > As a software package running on Solaris 10 and Red Hat
    Enterprise Linux 4.

                             Sun Proprietary                  36
Layer 7 SecureSpan Gateway (SSG)
• Can be clustered for load balancing
• Identity Providers authenticate users and groups. SSG
  > Use own internal identity provider (IIP/FIP)
  > Interface with LDAP Providers: Oracle, IBM TivoliLDAP, MS
    Active Directory, Generic LDAP v3
  > Connect to external identity management systems: CA
    SiteMinder, Sun AM, IBM Tivoli AM
• Trust Store keeps trusted client certificates
• UDDI used to retrieve and publish Web services from/to
  HP Systinet
                             Sun Proprietary                    37
Example: Authorization Policy
          L7p:variablePrefix="Group" wsp:Usage="wsp:Required"
          xmlns:xsd="" xmlns:xsi="
<wsp:OneOrMore wsp:Usage="Required">
        <wsp:All wsp:Usage="Required">
            <L7p:Comment stringValue="Clear any US Navy group member"/>
            <L7p:CaseSensitive booleanValue="false"/>
            <L7p:Expression1 stringValue="${Group.result}"/>
            <L7p:Operator operatorNull="null"/>
            <L7p:Predicates predicates="included">
               <L7p:item dataType="included">
                  <L7p:Type variableDataType="string"/>
               <L7p:item binary="included">
                  <L7p:Operator operator="CONTAINS"/>
                  <L7p:RightValue stringValue="cn=USNavy"/>
            <L7p:Base64Expression stringValue="VHJ1ZQ=="/>
            <L7p:VariableToSet stringValue="Cleared"/>
        </wsp:All>                                         Sun Proprietary                                    38
Example: Information Filtering Policy
XSLT Transformation
<xsl:template match="//*[name()='Placemark']">
  <!-- Check if the name node starts with SEAL. If it does then return nothing, else copy
the node back -->
  <!-- We could have as many of these tests as we want for other things. The default
action is to copy it out. -->
  <xsl:when test="starts-with(./*[name()='name'], 'SEAL')">

                                             Sun Proprietary                                39
Directory Server
• Provides secure, scalable, high performance, highly-
  available, and easy-to-manage Directory Service
• Multi-master replication and fail-over for high availability
• Web-based admin interface for service
• Virtual directory functionality
• Built in security to prevent denial of service and data
• Bi-directional password sync with MS Active Directory

                              Sun Proprietary                    40
Identity Manager
• User Provisioning                   • Password Sync/policies
• Identity Synchronisation            • Delegated Administration
• Profile Management                  • Policies and Workflow

                             Sun Proprietary                       41

             Sun Proprietary   42

To top