Professional Documents
Culture Documents
Agenda
Service Oriented Architecture and Interoperability
Role of Web Services
10/23/2007
Template Documentation
What is SOA?
a service? service oriented architecture (SOA)?
A repeatable business task e.g., check customer credit; open new account
Business components
Web Services
A set of vendor neutral and platform agnostic standards that can be used to define how SOA components interact
WS Protocols (XML, SOAP, WSDL, UDDI) provide an interface toolkit for components Business components SOA components Components interfaces Web Services protocols 5
10/23/2007
Template Documentation
Reliability
Transactions
Management
Security
Web Services Description Language (WSDL) Simple Object Access Protocol (SOAP) Extensible Markup Language (XML) Other Protocols Other Services
Protocol composability
Use protocol building blocks in nearly any combination.
Autonomous services
Independent endpoints
Managed transparency
Controlling what is externally visible
Protocol-based integration
Coupling via wire artifacts only.
Organizational/enterprise boundaries
Perimeter is obscure Identities are managed across boundaries Trust relationships are established across boundaries
Composite applications
Ensuring proper security controls are enacted for each service and when used in combination
Policy Management
IT Security Services
Identity Services Confidentiality Services Authentication Services Integrity Services Authorization Services Audit Services
Security Enablers
10/23/2007
Template Documentation
10
Security services
Standardized virtualized security services
Message protection
10/23/2007
Template Documentation
15
WS-Security
Sender Intermediary Intermediary Receiver
WS-Security
Defines a framework for building security protocols
Integrity Confidentiality Propagation of security tokens
WS-Security
WS-Security does provide:
Message level security Improved SSL Security at lower/network layer Transmission security Message authentication Message confidentiality Message integrity
WS Security
Terminology:
Claim - A claim is a statement that a client makes (e.g. name, identity, key, group, privilege, capability, etc). Security Token - A security token represents a collection of claims. Signed Security Token - A signed security token is a security token that is asserted and cryptographically endorsed by a specificauthority (e.g. an X.509 certificate or a Kerberos ticket). Proof-of-Possession - The proof-of-possession information is data that is used in a proof process to demonstrate the sender's knowledge of information that SHOULD only be known to the claiming sender of a security token. Integrity - Integrity is the process by which it is guaranteed that information is not modified in transit. Confidentiality - Confidentiality is the process by which data is protected such that only authorized actors or security token owners can view the data Digest - A digest is a cryptographic checksum of an octet stream. Signature - A signature is a cryptographic binding of a proof-of-possession and a digest. This covers both symmetric key-based and public key-based signatures. Consequently, non-repudiation is not always achieved. Attachment - An attachment is a generic term referring to additional data that travels with a SOAP message, but is not part of the SOAP Envelope.
(016)
(017) (018)
(019) (020)
<wsse:Security Line 009: Start of Security header xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"> wsse:UsernameToken Id="MyID"> Lines 010 to 012 specify the security token <wsse:Username>Zoe</wsse:Username> </wsse:UsernameToken> <ds:Signature> <ds:SignedInfo> Lines 013 to 028 specify a digital signature this example uses a <ds:CanonicalizationMethod signature based on the security Algorithm= "http://www.w3.org/2001/10/xml-exc-c14n#"/> token, this is NOT a recommended signature scheme <ds:SignatureMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <ds:Reference URI="#MsgBody"> <ds:DigestMethod Algorithm= "http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue> </ds:Reference>
</ds:SignedInfo> <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#MyID"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </S:Header> <S:Body Id="MsgBody"> <tru:StockSymbol xmlns:tru="http://fabrikam123.com/payloads"> Lines 031 to 033 contain the body of the SOAP message QQQ </tru:StockSymbol> (033) </S:Body> (034) </S:Envelope>
WS-Trust
Defines how to broker trust relationships
Some trust relationship has to exist a priori
Defines how to exchange security tokens Defined as an interface specification for a Security Token Service Anyone can issue tokens (be a Security Token Service)
Getting Tokens
A RequestSecurityToken message is sent to the trust service It responds with a RequestSecurityTokenResponse
Contains required security token and associated details (e.g. proof)
Example
I want to have secure communication with you I ask the trust service for a token to allow me to talk to you The trust service sends two copies of a secret key
One encrypted for me (proof token) One encrypted for you (requested token)
Example
Trust
U/P
P1 T1
T2 P2
3
T2 T# P#
Trust
Security Token Proof token
T1
Firewall
ESB
DataPower
Firewall
Challenge mechanism
Persisted Context
SCT
Farm Context
SCT
WS-SecureConversation
WS-Security provides for single message security Nodes will often want to exchange more than one message
Specifying new symmetric keys for each message is tedious, verbose, and inefficient
WS-SecureConversation
Participants establish a shared context
Context contains keys/secrets and other information Can be stateless (state embedded in security context token)
Policy
Policy Framework
Policy Attachment Policy WSDL Policy Assertions
WS-Policy
Framework for expressing Web service capabilities and requirements
Security Transactions Reliable messaging Transports
...
Policy: collection of alternatives; pick one Alternative: collection of assertions; do all Assertion: domain-specific behavior
Strongly typed Arbitrary parameters to behavior
WS-Policy Model
WS-Policy Expressions
May represent a policy in a compact form
Nest operators
All distributes over ExactlyOne
Assertion/@wsp:Optional=true
An alternative with and an alternative without Simplification of prior @wsp:Usage=xs:QName
WS-Policy Intersections
Do two Web service endpoints have compatible policy?
At design time to wire together compatible services At runtime to select compatible options
Two alternatives are compatible if they at least have the same assertion types
WS-PolicyAttachment
Associate policy with WSDL constructs
Interface-wide policy, e.g.,
SOAP version Transports (and addresses) Which token to use when signing messages Which version of transactions (if any)
WS-SecurityPolicy
A set of policy assertions related to concepts defined by other WS-Sec* specs Allows participants to specify
Token types Whether integrity and/or confidentiality are required Algorithms for the above Which message parts need signing/encrypting
WS-SecurityPolicy Example
<wsp:Policy> <sp:SymmetricBinding> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:KerberosV5APREQToken sp:IncludeToken=".../IncludeToken/Once" /> </wsp:Policy> </sp:ProtectionToken> <sp:SignBeforeEncrypting /> <sp:EncryptSignature /> </wsp:Policy> </sp:SymmetricBinding> <sp:SignedParts> <sp:Body/> <sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing" /> </sp:SignedParts> <sp:EncryptedParts> <sp:Body/> </sp:EncryptedParts> </wsp:Policy>
Federation
WS-Federation
Single Sign-On access across trust domains using identities from the different domains WS-Federation defines a model for this building on the WS-* security specifications:
Model for trust Sign out messages Attribute service Pseudonym service
Federation
Using Tivoli Federated Identity Manager
Third-Party Access
Partner
Federated Access
Third-party User
WS-Security/WSFederation/SAML Direct Access
WS-Federation/SAML
User Web SSO Web SSO Billing Service Web SSO Portal Service
Benefits Service
Authorization
Security
Reliable Messaging
Transactions
XSD, WSDL, UDDI, Policy, MetadataExchange XML, SOAP, Addressing HTTP, HTTPS, SMTP
Importance of Composition
Everything works in combination
Ex: Transaction context works over a reliable connection Ex: Participants use WS-Security to secure transactions (for all types participants)
Composable Headers
Addressing
<S:Envelope > <S:Header> <wsa:ReplyTo> <wsa:Address>http://business456.com/User12</wsa:Address> </wsa:ReplyTo> <wsa:To>http://fabrikam123.com/Traffic</wsa:To> <wsa:Action>http://fabrikam123.com/Traffic/Status</wsa:Action> <wssec:Security> <wssec:BinarySecurityToken ValueType="wssec:X509v3" EncodingType=wssec:Base64Binary"> dWJzY3JpYmVyLVBlc..eFw0wMTEwMTAwMD </wssec:BinarySecurityToken> </wssec:Security> <wsrm:Sequence> <wsu:Identifier>http://fabrikam123.com/seq1234</wsu:Identifier> <wsrm:MessageNumber>10</wsrm:MessageNumber> </wsrm:Sequence> </S:Header> <S:Body> <app:TrafficStatus xmlns:app="http://highwaymon.org/payloads"> <road>520W</road><speed>3MPH</speed> </app:TrafficStatus> </S:Body> </S:Envelope>
Security
Reliability
References (1 of 4)
OASIS WSS TC Homepage
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
Schema Files
http://www.oasis-open.org/committees/download.php/5076/oasis200401-wss-wssecurity-secext-1.0.xsd.xsd http://www.oasis-open.org/committees/download.php/5075/oasis200401-wss-wssecurity-utility-1.0.xsd.xsd
References (2 of 4)
OASIS WSS TC Call for participation & Original Charter
http://lists.oasis-open.org/archives/wss/200207/msg00000.html
References (3 of 4)
OASIS WSS TC Disposition of public review/comments
http://lists.oasis-open.org/archives/wss/200401/msg00157.html http://lists.oasis-open.org/archives/wss/200311/msg00044.html
Statements of implementation
http://lists.oasis-open.org/archives/wss/200402/msg00022.html http://lists.oasis-open.org/archives/wss/200402/msg00027.html http://lists.oasis-open.org/archives/wss/200402/msg00023.html http://lists.oasis-open.org/archives/wss/200402/msg00029.html http://lists.oasis-open.org/archives/wss/200402/msg00024.html http://lists.oasis-open.org/archives/wss/200402/msg00026.html http://lists.oasis-open.org/archives/wss/200402/msg00025.html http://lists.oasis-open.org/archives/wss/200402/msg00028.html
References (4 of 4)
OASIS WSS TC Public review comments archive
http://lists.oasis-open.org/archives/wss-comment/