Java CAPS Secure SOA by klutzfu63

VIEWS: 118 PAGES: 42

									Java CAPS Secure SOA
September 2008



Igor Mameshin
Sun SOA/BI GTE
Security Challenges – Domain Restrictions
• Federation
    > Federated Identity and User Privacy
• SSO for Web sites, identity based Web services
• Insider Threats
• Outsider Threats
    > XML Attacks
•   Interoperability
•   Multi-Level-Security (MLS)
•   Governance, Compliance, Auditing
•   Information filtering (role specific view, data masking)
                                Sun Proprietary                2
 Security Pre-SOA: Silo-ed / Ad Hoc Trust?
                                                                                                  Privacy?
                                                                                                  Policy / Control?
          Field
         Service
                          NO                  Order                                     Accounts  Audit?
                                                                                       Management Integrity?
        Scheduling       SSO!               Processing
                                                                                                  Non-repudiation?




      Check                               Check                                     Calculate
  Customer Status                     Customer StatusL                          Shipping Charges
  Determine Product                                   o
                                      Determine Product                           Order Status
     Availability                        Availability g                                               Monolithic
                                           Verify                                    Verify           Applications
                         t
                       ex
                                      Customer Credit                           Customer Credit
                     t                          auth
                  ar          aut                   z auth


                                                                      ed
               cle
                                        Order Status
                                  h


                                                                      t
                                                                   yp
                                                               cr
                                                             en
            NO LOG                    LOG                                                          NO LOG
LOG                      NO LOG                                           LOG
                                      AUDIT
AUDIT
    l                                                                                                 Data
                                                                                                      Repository
 Custom         AS400        Oracle         SAP           Red Prairie       Another        External
Marketing        Sales        CRM         Finance         Warehouse         Business       Trading
 System         System       System                     Mgmt.
                                          System Sun Proprietary System       Unit         Partner             3
Secure SOA: Refactored & Standardized Security

             Field      Trusted token            Order                                  Accounts
            Service         SSO                Processing                              Management
           Scheduling
                        Secure Conv                                                                       Composite
                                                                                                          Apps


                          Authorization                                                   Check             Check
  Authentication                           Trusted Token                                Inventory       Customer Status
                                                                   Policy

                            Signature       Credential
   Encryption                              Management                                     Check
                                                                                       Order Status      Check Credit
                                                                 Session

      Identity
                                                                                                          Re-usable
    Provisioning              Federation     Logging               Audit                   Create
                                                                                          Invoice         Application
    Centralized Security and Infrastructure Services /                                                    Services
    Components

                                                                                                         Data
                                                                                                         Repositories
Identity         Policy            Key       Service            Log         Another          External
                                                                            Business         Trading
Stores            Stores          Stores                        Stores
                                            Repository Proprietary
                                                     Sun                      Unit           Partner                4
Secure SOA Defined
Secure SOA is an approach to implement SOA which by design
ensures trust throughout the SOA ecosystem (including services,
consumers, composite applications and infrastructure) by addressing
some or all of the following security aspects:
•   Authentication
•   Authorization
•   Integrity
•   Confidentiality
•   Accountability (monitoring, logging, audit, non-repudiation)
•   Identity (federation, provisioning, trust brokering)
•   Security Policies

Secure SOA is best viewed as a specific case of Governed SOA.
                                       Sun Proprietary                5
Implement Identity Based Services
• Federated Access Manager 8 (FAM) - provides ability to login into Web
  application/portal once, and to have access to the network of systems (SSO)
• FAM – provides identity of the user who origininated a business transaction
  to all services
• FAM - implements Secure Token Server (STS), which is responsible for
  generating SAML Tokens. Uses JSR-196 Security Providers on Application
  Server to: secure the SOAP message generated by the Web Services Client;
  and validate the SOAP message at the Web Services Provider.
• Identity Manager (IDM) - provision users into LDAP, provision user
  attributes such as group memberships, security clearance, and military rank.
• Layer 7 SSG - implements authorization for applications to invoke Web
  services, implements information visibility, service governance, audit,
  monitoring and management.
• Java CAPS – implements enerprise services and business processes.

                                    Sun Proprietary                              6
Security Architecture Patterns
        Point-to-Point (Security inside Web service)
        • Low reuse
        • Complex and inflexible development
        • Technology dependent, platform dependent
        • Re-engineering is required to implement new standards
        Intercepting Agent (Security inside J2EE Container)
        • Application server and API dependant
        • Not loosely coupled
        XML Gateway / SOA Governance Gateway / Service Gateway
        • Truly loosely-coupled
        • Service, container, and technology independent
        • Easily adopts to new standards
        • Gateway and Agent models provide centralized management and reporting,
          with the ability to make global changes for multiple Web services. This
                                 Sun Proprietary
          functionality must be custom-built if platform-specific solutions are written.
                                                                                      7
Security Architecture Patterns
• Point-to-Point (Security inside Web service)
   > Can be implemented on transport level using HTTPS/SSL
   > Application code includes security code that implements security for service
     consumers and providers
   > Implemented through hooks: JAXWS handlers, JSR196 callbacks, Axis handlers
• Intercepting Agent (Security inside J2EE Container)
   > Protects services through a Web Agent that intercepts requests at the Web
     Container and provides authentication, authorization, encryption, and auditing
   > Enforced at endpoint with an agent such as Access Manager J2EE Policy Agent
• XML Gateway / SOA Governance Gateway / Service Proxy
   > Provides a single entry point and allows centralization of security enforcement for
     incoming and outgoing messages. It helps to implement security policies and to
     apply transport-level and message-level securit.
   > Enforced at hardware appliances, standalone software, or JBI aspects
   > Aspects help to encapsulate cross-cutting expressions in one place. Aspects can
     alter the behavior of the non-aspect parts of a software application.
                                        Sun Proprietary                                    8
                                                                                                       User Repository
Secure SOA Architecture                                                                                Data Repository


                                                                          Authentication
                                                                          SSO Session
           Web GUI                                                         Authorization
                                                                        Policy Enforcement
      Service Consumer                                                      Federation
                                                    SSO
                                                   Token                                                  Provisioning
          Request+SAML




                                                                                                         Identity Sync
                          Response




                                                                                                        Password Sync
                                                                                                        Admin Policies

                                              Service Registry
                                                    and
                                                Repository                                      Identity
      Service Gateway                                                                           Manager

         AM Client SDK                       Authentication Assertion

                                                                                 STS
                                                                                                               MySQL



                                                     Enterprise Service Bus


                                                                                             Service           Service
 Business process        Enterprise Service          Service



                                     MySQL             MySQL             Sun Proprietary      MySQL                      9
Products Selection
          Production                         Open Source

Solaris OS 10 u5
Java CAPS 6
Directory Server 6.3
Identity Manager 7.1
MySQL DataBase 5.0
Application Server 9.1
Federated Access Manager 8.0
Layer 7 SSG Gateway




                           Sun Proprietary                 10
Tango / JAX-WS / Metro
• Project Tango develops and evolves the codebase for
  Web Services Interoperability Technologies (WSIT).
  Includes XWSS 3.0.
• Tango + JAX-WS + JAXB system is known as the Metro
  Web Services stack
  > Leverages existing technologies (JAXB, SAAJ, Woodstox, XML
    stream buffer)
  > Implements the JAX-WS 2.0 API (JSR 224)
  > Extensible transport support (HTTP, SOAP/TCP, MTOM and
    XOP, SMTP, sample JMS)
  > Adds Reliability, Transactions and of course Security


                            Sun Proprietary                      11
Web Service Security in Metro 1.0
• Security in Metro 1.0 is based on the following security
  related Specifications and Standards :
  >   WS-Security Core Specification 1.1
  >   Username Token Profile 1.1
  >   X.509 Token Profile 1.1
  >   SAML Token profile 1.1
• The Security Requirements and Capabalities of a
  WebService in Metro are expressed using WS-
  SecurityPolicy. Interoperability is achieved by the use of
  WS-Security standard, as well as WS-I, WS-I BSP.
• NetBeans and its WSIT Plugin allow to define
  configuration or profiles through UI Screens.
                                Sun Proprietary                12
Web Service Security in Metro 1.0
• Current Limitations of XWSS 3.0
  > No support for Caching of Nonces and Replay Detection as
    outlined in WSS specifications. This was supported in XWSS
    2.0 later the feature was disabled.
  > No support for Securing Attachments as defined by WSS SOAP
    With Attachements Profile 1.1. This was supported in XWSS
    2.0 later the feature was disabled.
  > The only practical way to configure is through design-time
    Netbeans JAXWS profiles
• JSR 196 CallbackHandler allows to implement custom
  code


                             Sun Proprietary                     13
Tango / WSIT / Metro
• Pros:
  > Point-and-click client and server support
  > Supports specifications (WS-Security, WS-Trust, WS-Policy,
    WS-Secure Conversation, WS-Security Policy)
  > .NET interoperability
• Cons:
  > Packaging-time decisions:
     – one policy per service
     – point-to-point solution
  > Limited to GlassFish, Tomcat, NetBeans
  > Can only support newly developed services
  > Non-extendable (e.g. custom mechanisms, tokens, etc)
                              Sun Proprietary                    14
Access Manager Features
• User session management & Single Sign-On for Web
  sites
• User authentication: LDAP, Active Directory, certificate
• Authorization and Policy Service: resources, rules,
  subjects
• Identity Federation: SAML, ID-WSF
• Logging: file, database, secure logging
• Pluggable J2EE Policy Agents prevent unauthorized
  access to web content and web services
• AM Client SDK can be used for making dynamic, runtime-
  based access control decisions
                           Sun Proprietary                   15
Federated Access Manager
• Fulfills the requirements for Message Level Security and
  Identity Federation
• FAM instances host the Secure Token Server (STS),
  which is responsible for generating SAML Tokens, and
  securing the SOAP message generated by the Web
  Services Client
• FAM instances are also configured as trusted entities to
  enable Identity Federation




                           Sun Proprietary                   16
FAM Architecture




                   Sun Proprietary   17
Requirements for Web Services Security
• Identify the Principal
  > WS-Security, WS-I Basic Security Profile
  > Liberty ID-WSF Security Mechanisms
• Preserve the Identity
  > Across multiple “hops”
  > Across domain boundaries
• Maintaining privacy and integrity
• Using existing technologies & idioms
• Audit


                               Sun Proprietary   18
Federated Access Manager and Web Services
Security
• Problem:
  > How do I support web services for my web                WSS Agent
     applications in various containers when it is          FAM clientsdk        4
     handled differently from container to container?
                                                                Web Service
• What It Does?                                       SOAP
                                                                 Provider
  > Provides an agent that can be deployed in         (WSS) 3            5
    containers for consuming, processing and                                     2        FAM Server
    transforming security tokens including SAML
                                                            WSS Agent
  > Abstracts security from the application.
                                                                FAM clientsdk
  > WSS Agent allows standardization on security
    across multiple containers (e.g. Sun, IBM, BEA              Web Service
    etc.)                                                         Client
      – Implements container's authentication SPI (JSR
        196)                                                            1       Request
      – Secures SOAP request and validates SOAP
        response at WSC.
      – Validates SOAP request and secures SOAP
        response at WSP.                 Sun Proprietary                                         19
Web Services Security Agent
(Authentication Provider)
• Protects Web Service communication between WSC
  and WSP
• Implements container's Authentication SPI (JSR 196
  SPI)
• Plugged into container
• Secures SOAP request and Validates SOAP
  response at WSC
• Validates SOAP request and Secures SOAP
  response at WSP
• Configured per WSC and WSP

                         Sun Proprietary               20
Securing a SOAP Request




                Sun Proprietary   21
Verification and Response




                 Sun Proprietary   22
Secure Token Service
• Problem:
  > How does the Web service verify the
    credentials presented by the client?
• How It Works                                    SOAP
                                                              Web Service
                                                               Provider
                                                  (WSS)
  > An authenticated client requests token                                  Issue
                                                          3                 Token
    needed to access web service provider.                                  (WS-
                                                                              2
  > The STS verifies the credentials presented                              Trust)
    by the client, and then in response, it issues
    a security token that provides proof that the
    client has authenticated with the STS.
                                                              Web Service            Security
  > The client presents the WS-I BSP based                      Client                Token
    security token(User Name, X.509, SAML                            1
                                                                                     Service
                                                                            Requ
    etc.) to the Web service.                                               est
  > The Web service verifies that the token was
    issued by a trusted STS, which proves that
    the client has successfully authenticated
    with the STS.                    Sun Proprietary                                        23
Sequence Flow - STS




                Sun Proprietary   24
STS Architecture




                   Sun Proprietary   25
Layer 7: SecureSpan XML Appliances
• Family of gateways in appliance and S/W only form
• Provide acceleration, validation, security, federation,
  routing, protocol mediation, load balancing, SLAs,
  logging, light monitoring and throttling and some run-time
  governance.
• Not limited to Web Services (also supports Web 2.0,
  AJAX, RSS, REST)
• High performance and scalability
• Very strong standard support
• Easy to use and integrate with CAPS
• Willing to modify their product to meet customer needs
                            Sun Proprietary                    26
Layer 7: SecureSpan XML Appliances
•   Application Oriented Networking and XML routing
•   Service virtualization
•   Centralized SLA enforcement
•   Transport and protocol mediation
•   Runtime enforcement of SOA governance policies




                            Sun Proprietary           27
Layer 7: SecureSpan Manager




                Sun Proprietary   28
Federated Identity Aware
Trusted Services (FIATS) Demo

WSS Implementation
FIATS Demo: WSS Requirements
• Two simulated Security Domains – Navy and CoastGuard
• Navy domain hosts the Command and Control (C2) app
• C2 App invokes multiple Web Services through an
  intermediary
• Navy domain hosts the AuthN Layer and the STS layer
• Users are Authenticated by the FAM AuthN layer
• STS secures and signs all resulting SOAP messages
  from Web Service requests
• JSR 196 Security Providers used to intercept Servlet calls
  and SOAP messages; GlassFish container
                            Sun Proprietary                    30
FIATS Demo: WSS Requirements
• STS generates SAML Token to “Identity enable” the Web
  Services
• SAML Token contains a set of Attribute statements
• The Attribute statements are used by L7 SSG to make
  Authorization decisions
• SAML Post Profile Federation in-place to federate users
  from Navy to CoastGuard domain
• SAML assertion generated by the Navy IDP contains the
  Attribute Statements required for AuthZ decisions
• Navy domain STS is used to secure SOAP messages

                          Sun Proprietary                   31
FIATS Demo: FAM Architecture




                 Sun Proprietary   32
Configure FAMServerProvider




                Sun Proprietary   33
Configure FAM Attribute Mapper
• Attribute mapping provides a way to insert attribute
  statements in SAML Assertions, using which
  Authorization decisions are made
• Attributes are mapped using the mapper in WSC and
  WSP configurations in FAM
• The mapped attributes need to be a part of the IdRepo
  set of attributes
• Following attributes mapped for FIATS demo
  > Group
  > Security Clearance
  > Rank

                          Sun Proprietary                 34
Configure FAM Attribute Mapper




                 Sun Proprietary   35
Layer 7 SecureSpan Gateway (SSG)
• Sun has a partnership with Layer 7 for SOA security,
  policy management, and operational governance
• SSG is an XML Firewall and service gateway designed to
  protect Web Services and enforce service policies.
  Supports HTTP(s), FTP(S), JMS endpoints
• Available in one of two form factors
  > As a 64-bit ASIC-accelerated hardware appliance
  > As a software package running on Solaris 10 and Red Hat
    Enterprise Linux 4.



                             Sun Proprietary                  36
Layer 7 SecureSpan Gateway (SSG)
• Can be clustered for load balancing
• Identity Providers authenticate users and groups. SSG
  can
  > Use own internal identity provider (IIP/FIP)
  > Interface with LDAP Providers: Oracle, IBM TivoliLDAP, MS
    Active Directory, Generic LDAP v3
  > Connect to external identity management systems: CA
    SiteMinder, Sun AM, IBM Tivoli AM
• Trust Store keeps trusted client certificates
• UDDI used to retrieve and publish Web services from/to
  HP Systinet
                             Sun Proprietary                    37
Example: Authorization Policy
<wsp:MessagePredicate
          Dialect="http://www.w3.org/TR/1999/REC-xpath-19991116"
          L7p:variablePrefix="Group" wsp:Usage="wsp:Required"
          xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
          xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
          xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
          xmlns:tns="http://services.fighterfeed.nato/"
          xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
">//saml2:Attribute[@Name='Group']/saml2:AttributeValue</wsp:MessagePredicate>
<wsp:OneOrMore wsp:Usage="Required">
        <wsp:All wsp:Usage="Required">
          <L7p:CommentAssertion>
            <L7p:Comment stringValue="Clear any US Navy group member"/>
          </L7p:CommentAssertion>
          <L7p:ComparisonAssertion>
            <L7p:CaseSensitive booleanValue="false"/>
            <L7p:Expression1 stringValue="${Group.result}"/>
            <L7p:Operator operatorNull="null"/>
            <L7p:Predicates predicates="included">
               <L7p:item dataType="included">
                  <L7p:Type variableDataType="string"/>
               </L7p:item>
               <L7p:item binary="included">
                  <L7p:Operator operator="CONTAINS"/>
                  <L7p:RightValue stringValue="cn=USNavy"/>
               </L7p:item>
            </L7p:Predicates>
          </L7p:ComparisonAssertion>
          <L7p:SetVariable>
            <L7p:Base64Expression stringValue="VHJ1ZQ=="/>
            <L7p:VariableToSet stringValue="Cleared"/>
          </L7p:SetVariable>
        </wsp:All>                                         Sun Proprietary                                    38
Example: Information Filtering Policy
XSLT Transformation
<xsl:template match="//*[name()='Placemark']">
 <xsl:choose>
  <!-- Check if the name node starts with SEAL. If it does then return nothing, else copy
the node back -->
  <!-- We could have as many of these tests as we want for other things. The default
action is to copy it out. -->
  <xsl:when test="starts-with(./*[name()='name'], 'SEAL')">
  </xsl:when>
  <xsl:otherwise>
    <xsl:copy>
      <xsl:apply-templates></xsl:apply-templates>
    </xsl:copy>
  </xsl:otherwise>
 </xsl:choose>
</xsl:template>




                                             Sun Proprietary                                39
Directory Server
• Provides secure, scalable, high performance, highly-
  available, and easy-to-manage Directory Service
• Multi-master replication and fail-over for high availability
• Web-based admin interface for service
• Virtual directory functionality
• Built in security to prevent denial of service and data
  trawling
• Bi-directional password sync with MS Active Directory



                              Sun Proprietary                    40
Identity Manager
• User Provisioning                   • Password Sync/policies
• Identity Synchronisation            • Delegated Administration
• Profile Management                  • Policies and Workflow




                             Sun Proprietary                       41
Questions?




             Sun Proprietary   42

								
To top