Securing your XML and Web service implementations Nattakan Pengphon Technical Specialist
|
|
- Elvin Burke
- 8 years ago
- Views:
Transcription
1 Securing your XML and Web service implementations Nattakan Pengphon Technical Specialist IBM Corporation
2 TH e-gif มาตรฐานด านเทคน ค เพ อการปฏ บ ต การร วมทางอ เล กทรอน กส 1.หมวดการเช อมโยง 2.หมวดการแลกเปล ยนข อม ล 3.หมวดร ปแบบการจ ดเก บข อม ลและน าเสนอข อม ล 4.หมวดความม นคงปลอดภ ยของข อม ลและระบบข อม ล 5.หมวดอ นๆ 2
3 Agenda Introduction to XML and Web Services SOA and Web Services Security Standards SOA and Web Services Security Architecture SOA and Web Services Security Tools and Solutions 3
4 What is XML? XML stands for EXtensible Markup Language XML is a markup language much like HTML XML was designed to carry data, not to display data XML tags are not predefined. You must define your own tags XML is designed to be self-descriptive XML is a W3C Recommendation 4
5 XML Does not DO Anything Maybe it is a little hard to understand, but XML does not DO anything. XML was created to structure, store, and transport information. XML is just plain text, However, XML-aware applications can handle the XML tags specially. The functional meaning of the tags depends on the nature of the application. The following example is a note to Tove from Jani, stored as XML: 5
6 XML is Not a Replacement for HTML XML is a complement to HTML. It is important to understand that XML is not a replacement for HTML. In most web applications, XML is used to transport data, while HTML is used to format and display the data. My best description of XML is this: XML is a software and hardware independent tool for carrying information XML was designed to transport and store data. HTML was designed to display data. 6
7 Example XML Document Root Element XML Element Comment <?xml version="1.0"?> XML Comment <!-- Airplane.XML --> <?xml:stylesheet type="text/xsl" href= Airplane.xsl"?> <Airplane propulsion="propeller" Engines="1"> <Name>Piper Warrior</Name> Text </Airplane> <Dims> <Dim Wing_Span="35Ft"></Dim> <Dim Length="23.8 ft"></dim> </Dims> Processing Instructions XML Prolog XML Attribute Child Elements Of The Root Grandchildren of the Root 7
8 Parsing XML XML may be well-formed, valid or both An XML document is well-formed if - Starts with <?xml > - Tags strictly nested: <tag>.</tag>. - Certain special characters use symbols < for <, & for & etc < and & used only for tags and symbols. - Comments: <!-- This is a comment --> An XML document is valid if - It specifies and conforms to a XML Schema or Document Type Definition (DTD) Valid XML documents are well-formed Well-formed XML documents might be valid 8
9 XSL = XML Style Sheets XML does not use predefined tags (we can use any tag-names we like), and the meaning of these tags are not well understood. A <table> element could mean an HTML table, a piece of furniture, or something else - and a browser does not know how to display it. XSL describes how the XML document should be displayed 9
10 What is XSLT? XSLT stands for extensible Stylesheet Language Transformations (XSLT) XSLT is the most important part of XSL XSLT transforms an XML document into another XML document XSLT uses XPath to navigate in XML documents XSLT is a W3C Recommendation 10
11 Apply stylesheet to convert to HTML <ticker> <quote> <company>xml Innovations</company> <symbol>xmli</symbol> <exchange>nasdaq NMS</exchange> <change>-7/16</change> <last>27 1/4</last> <pctchange>-1.58</pctchange> <yrhighlow>108, 10 5/8</yrhighlow> <dayhighlow>27 9/16, 26 1/2</dayhighlow> <volume>105,100</volume> <prevclose>27 11/16</prevclose> <open>27 3/8</open> </quote> <quote> <company>xsl Solutions</company> <symbol>xsls</symbol> HTML <exchange>nasdaq NMS</exchange> <change>-9/16</change> <last>45 3/16</last> <pctchange>-1.23</pctchange> <yrhighlow>47 5/16, 25 5/8</yrhighlow> <dayhighlow>45 11/16, 44 1/2</dayhighlow> <volume>3,124,400</volume> <prevclose>45 3/4</prevclose> <open>44 5/8</open> </quote> </ticker> XSLT <xsl:stylesheet version="1.0" xmlns:xsl=" <xsl:template match="* /"><xsl:applytemplates/></xsl:template> <xsl:template select="."/></xsl:template> <xsl:template match="* /"><xsl:valueof/></xsl:template> <xsl:template match="/"><html> <HEAD> <TITLE>Your-Stock-Quote.com</TITLE> </HEAD> <BODY link="#006363" vlink="#006363"> <BASEFONT face="arial" size="2"> <TABLE border="0" cellpadding="0" cellspacing="0" width="400"> <TBODY> <TR> <TD colspan="2" height="25" valign="top"> <TABLE border="0" cellpadding="0" cellspacing="0" width="464"> <TBODY> <TR> <TD align="center" bgcolor="#ffffcc" colspan="2" height="40" valign="top"> <STRONG> 11
12 XSL Information
13 13 Web Services
14 What are Web Services? Web services are application components Web services communicate using open protocols Web services are self-contained and self-describing Web services can be discovered using UDDI Web services can be used by other applications XML is the basis for Web services 14
15 Web Service Architecture Lifecycle: Build Deploy Run WSDL UDDI Find Service Registry Publish Service Description WSDL UDDI Service Requester Bind Service Provider SOAP Web Service 15
16 Emerging Web Service Standards SOAP - Simple Object Access Protocol WSDL - Web Service Description Language UDDI - Universal Description, Discovery and Integration 16
17 What is SOAP? SOAP is a simple XML-based protocol to let applications exchange information over HTTP. Or more simple: SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol SOAP is a communication protocol SOAP is a format for sending messages SOAP is designed to communicate via Internet SOAP is platform independent SOAP is language independent SOAP is based on XML SOAP is simple and extensible SOAP allows you to get around firewalls SOAP is a W3C standard 17
18 SOAP Messaging Simple enveloping mechanism independent of transport layer Envelope - Body and Headers Body - RPC (Remote Procedure Calls) or Document Messages Headers - Additional information such as security or authorization Envelope Header Body <application data> 18
19 19 SOAP example
20 20 SOAP Request/Response
21 What is WSDL? WSDL is an XML-based language for describing Web services and how to access them. WSDL stands for Web Services Description Language WSDL is based on XML WSDL is used to describe Web services WSDL is also used to locate Web services WSDL is a W3C standard 21
22 WSDL XML language for describing Web services - As set of endpoints operating on messages - Messages contain either document-oriented or procedure-oriented information - Operations and messages are described abstractly - Then bound to concrete network protocol and message format to create an endpoint Functional description of network accessible services - IDL description - Protocol and deployment details WSDL V1.1 Specification
23 WSDL Usage Two types of WSDL service description documents - Service Interface - Service Implementation Service Interface - Abstract, reusable service definition - Represents a type of service that can be implemented - Elements: types, message, porttype, binding Service Implementation - Implementation of one or more service interfaces - Contains the endpoint reference - Elements: import and service 23
24 24 WSDL Service Interface <?xml version="1.0"?> <definitions name="stockquoteservice-interface"... <message name="symbolrequest"> <part name="symbol" type="xsd:string"/> </message> <message name="quoteresponse"> <part name="quote" type="xsd:string"/> </message> <porttype name="stockquoteservice"> <operation name="getquote"> <input message="tns:symbolrequest"/> <output message="tns:quoteresponse"/> </operation> </porttype> <binding name="stockquoteservicebinding type="tns:stockquoteservice"> <soap:binding style="rpc" transport=" <operation name="getquote"> <soap:operation soapaction=" <input> <soap:body use="encoded" namespace="urn:live-stock-quotes encodingstyle=" </input> <output> <soap:body use="encoded" namespace="urn:live-stock-quotes" encodingstyle=" </output> </operation> </binding> </definitions>
25 WSDL Service Implementation <?xml version="1.0"?> <definitions name="stockquoteservice" targetnamespace=" xmlns:interface=" xmlns:xsd=" xmlns:soap=" xmlns=" <import namespace=" location=" <service name="stockquoteservice"> <documentation>stock Quote Service</documentation> <port name= localhost" binding="interface:stockquoteservicebinding"> <soap:address location=" </port>... </service> </definitions> 25
26 TH e-gif มาตรฐานด านเทคน ค เพ อการปฏ บ ต การร วมทางอ เล กทรอน กส 1.หมวดการเช อมโยง 2.หมวดการแลกเปล ยนข อม ล - XML, XML Schema, SOAP, WSDL, UDDI, XSL 3.หมวดร ปแบบการจ ดเก บข อม ลและน าเสนอข อม ล 4.หมวดความม นคงปลอดภ ยของข อม ลและระบบข อม ล 5.หมวดอ นๆ 26
27 Agenda Introduction to XML and Web Services Security SOA and Web Services Security Standards SOA and Web Services Security Architecture SOA and Web Services Security Tools and Solutions 27
28 28 SOAP Message Security
29 Security in SOAP Not described in core specification SOAP does not address security; SOAP 1.1 states, How can SOAP be made secure? Rely on transport security? - HTTP Authentication - SSL for privacy and integrity - Not message-based, end-to-end security hops in transport (i.e. intermediary) expose the message Add your own security? - Required authentication sent as part of SOAP Body - Implement proprietary elements in SOAP Header - Not interoperable and hard to maintain 29
30 Deployment Architecture : No Security Application Server Application Container WS Client SOAP/HTTP H T T P SOAP Runtime W S D L Web Service Business Logic Firewall All requests allowed access to web service - no authentication or authorization - no message protection (no privacy or integrity) 30
31 Deployment Architecture : Transport Security Authenticate SSL Client Protected Application Server Application Container SOAP/HTTPS Client Application Firewall Edge Server SOAP/HTTPS Firewall H T T P SOAP Runtime W S D L Web Service Business Logic SSL provides - authentication of SSL partners (client & server) - message privacy/integrity across network Concerns - Are network gaps secure enough for desired level of trust? - Is original user secure across SOAP processing nodes (e.g., gateways) Authenticate SSL Client 31
32 Message-based Security : End-to-End Security Connection Integrity/Privacy HTTP? SOAP Message Connection Integrity/Privacy HTTP Message-based security does not rely on secure transport - message itself is encrypted message privacy - message itself is signed message integrity - message contains identity proof of origin 32
33 WS-Security : SOAP Message Security WS-Security : SOAP Message Security - defines a standard set of SOAP extensions that can be used when building secure Web services to implement integrity and confidentiality. Allows: - sending Security Tokens to authenticate requests - signing Data to ensure data integrity and verify sender - encrypting Data to ensure privacy of data Goal: - End-to-end message content security 33
34 Web Services Standards Work To Date Additional Capabilities Business Process Orchestration Management Composition/Orchestration Portals Composable Service Elements WS-Security Reliable Messaging Transactionality Messaging Description Invocation Transports Endpoint Identification, Publish/Subscribe XML Schema, WSDL, UDDI, SOAP with Attachments XML, SOAP HTTP, HTTPS, SMTP, Others 34
35 Web Services and SOA Security Business Process Execution Language Business Processes WS-Coordination WS-Transactions WS-Security WS-Reliable Messaging Quality of Service OASIS Secure exchange TC WSDL WS-Policy UDDI Description and Discovery SOAP, SOAP Attachments XML, XML Infoset Transports Other protocols Other services Messaging and Encoding WS-Secure Conversation Transport WS-Security Policy WS-Federation WS-Trust WS-Authorization WS-Privacy OASIS 1.0 WS-Security (framework) SAML Kerberos profile X.509 profile REL profile Liberty Mobile profile Username profile SAML profile 35
36 SOAP Message Security: Extensions to Header Envelope Security Element Header Security Element Body <application data> Security Token Signature Encrypted Data SOAP Header allows for extensions OASIS standard WS-Security: SOAP Message Security - defines XML for Tokens, Signatures and Encryption - defines how these elements are included in SOAP Header 36
37 SOAP Message Security : Elements Security Tokens claims about the message originator - Username Token Username Username & Password (Plaintext or Digest) - Binary Token X.509 Certificates, Kerberos Tokens - XML Tokens SAML Token - User Defined Tokens Signature: across all or part of the SOAP message - SOAP Body, Security Token or both - Signature of Token proves authenticity and integrity of claims - Signature of both Body & Token binds together the Body and Token Encrypted Data: all or part of the SOAP message - Provides confidentiality on all/parts of a message 37
38 SOAP Message Security : Example of Header Elements <S:Envelope xmlns:s= " <S:Header> <wsse: Security> <wsse:usernametoken> <wsse:username>user123</wsse:username> <wsse:password>ilovedogs</wsse:password> </wsse:usernametoken> <ds:signature>...</ds:signature> </wsse: Security > </S:Header> <S:Body> <m:getstockquote xmlns:m=" <Symbol>IBM</Symbol> </m:getstockquote> </S:Body> </S:Envelope> 38
39 SOAP Message Security: What are Security Tokens? Examples include - Username token - X509 Certificate - Kerberos ticket - SAML assertion Represent claims about - Identity - Attributes - Privileges 39
40 SOAP Message Security : Security Tokens - Username UsernameToken - carries User Id in the message Example - using only <Username> <wsse:security> <wsse:usernametoken> <wsse:username>user123</wsse:username> </wsse:usernametoken> </wsse:security> UsernameToken may also contain a password - several choices for format see next two slides. 40
41 SOAP Message Security : UsernameToken with Password Username <wsse:usernametoken and plain text password wsu:id="..."> <wsse:username>user123</wsse:username <wsse:password Type="wsse:PasswordText"> ILoveDogs </wsse:password> </wsse:usernametoken> 41
42 SOAP Message Security : UsernameToken with Password Digest <wsse:usernametoken wsu:id="..."> <wsse:username>user123</wsse:username Username and Digest (hashed) password) <wsse:password Type="wsse:PasswordDigest"> Ub%l3i+bbwDiT91C;[L Skfj8d8fgn </wsse:password> <wsse:nonce>wscqanjceac4mqobe07saq==</wsse:nonce> <wsu:created> t01:24:32z</wsu:created> </wsse:usernametoken> Nonce is a random value (optional element) - each new UsernameToken requires new Nonce - Password + Nonce used in Digest calculation - prevents re-play attacks 42
43 SOAP Message Security : Security Tokens Binary Tokens BinarySecurityToken - non-xml token types Example: X.509 Certificate <wsse:binarysecuritytoken wsu:id= ValueType= wsse:x509v3 EncodingType="wsse:Base64Binary"> Base 64 encoded X.509 Certificate </wsse:binarysecuritytoken> Example: Kerberos ticket <wsse:binarysecuritytoken wsu:id= ValueType="wsse:Kerberosv5ST EncodingType="wsse:Base64Binary"> Base 64 encoded Kerberos token </wsse:binarysecuritytoken> 43
44 SOAP Message Security : Security Tokens Arbitrary XML Tokens <SecurityTokenReference> element - used to include XML structure as a Security Token example: SAML token, Liberty token - usually points to XML either internal or external to message <wsse:security> <saml:assertion AssertionID= Assertion ID > Assertion </saml:assertion> <wsse:securitytokenreference <wsse:keyidentifier ValueType= saml:assertion Assertion ID </wsse:keyidentifier> </wsse:securitytokenreference> 44
45 SOAP Message Security : Security Tokens Arbitrary XML Tokens <SecurityTokenReference> allows for external token - Somewhere else in the current document, or - Outside the current document retrievable via a given URI <wsse:securitytokenreference wsu:id= STR1 > <saml:authoritybinding> Binding= SOAP-binding AuthorityKind= samlp:assertionidreference Location= </saml:authoritybinding> <wsse:keyidentifier wsu:id= KEY1 ValueType=.#SAMLAssertionID > Assertion ID </wsse:keyidentifier> </wsse:securitytokenreference> 45
46 XML Digital Signature : Overview <ds:signature> Some XML Data Some XML Data <Reference> URI Digest of Data dc7yttxn <Reference> URI Digest of Data &6%45T8u <SignedInfo> <KeyInfo> X.509 Certificate <SignatureValue> 7F5*$%KSXCg2 <SignedInfo> structure is the data that is signed - includes Digests of one or more XML elements - result of signature is <SignatureValue> 46
47 SOAP Message Security: Signature of Body Envelope Header Security Signature Body Reference to data covered by signature <application data> 47
48 Signing a SOAP message X.509 security token generation Digitally sign message with private key of Client certificate Validate message request with public key of Client certificate 2 Browser 1 Client Service requester Server Service provider HTTP A P P Request Response SOAP/HTTP Request Response A P P 4 3 Validate message response with public key of Server certificate <wsse:security> <wsse:binarysecuritytoken>...eg+9iksop0qijaghfty.\ 2"fhYHSgtDu... (X.509 certificate) </wsse:binarysecuritytoken> </wsse:security> Digitally sign message response with private key of Server certificate 48
49 Signed SOAP request message <soapenv:envelope> <soapenv:header> <wsse:security S:mustUnderstand="1" xmlns:wsse=" <wsse:binarysecuritytoken EncodingType="wsse:Base64Binary"> MIIDQTCC4ZzO7tIgerPlaid1q... [truncated] </wsse:binarysecuritytoken> <ds:signature xmlns:ds=" data... </ds:signature> </wsse:security> </soapenv:header> <soapenv:body> <p635:ca_request_id>01ordr</p635:ca_request_id> <p635:ca_return_code>0</p635:ca_return_code> [truncated] </soapenv:body> </soapenv:envelope> X.509 cert Signature SOAP body 49
50 Encrypting a SOAP message Encrypt message with random secret key Encrypt secret key with public key of Server certificate Browser HTTP 1 Service requester A P P Client Request Response SOAP/HTTP Request Response Decrypt secret key with private key of Server certificate Decrypt message with secret key 2 Server Service provider A P P 4 3 Decrypt secret key with private key of Client certificate Decrypt message response with secret key <soapenv:body> <EncryptedData xmlns="..." Id="wssecurity_encryption_id_xxxx" Type=" <EncryptionMethod Algorithm="..."></EncryptionMethod> <CipherData> <CipherValue>6LPA6MFTI5dc2xtnjiiJ...</CipherValue> </CipherData> </EncryptedData> </soapenv:body> Encrypt message response with random secret key Encrypt secret key with public key of Client certificate 50
51 Encrypted SOAP request message <soapenv:envelope> <soapenv:header> <wsse:security S:mustUnderstand="1" xmlns:wsse=" <EncryptedKey xmlns=" <EncryptionMethod Algorithm=" <ds:keyinfo xmlns:ds=" <ds:keyname>cn=cicscert, T=Ciwss3c1-cert, OU=PSSC, O=ITSO, L=ENDICOTT, ST=NEW YORK, C=US </ds:keyname> </ds:keyinfo> <CipherData> <CipherValue>rN8nTy+IlIPN/g4 [truncated] </CipherValue> </CipherData> </EncryptedKey> </wsse:security> </soapenv:header> <soapenv:body> <EncryptedData xmlns=" <EncryptionMethod Algorithm=" <CipherData> <CipherValue>y3FFMZ4ckOZjfpydskgrNHQP9Pr [truncated] </CipherValue> </CipherData> </EncryptedData> </soapenv:body> </soapenv:envelope> Key info Encrypted Secret key Encrypted Data 51
52 TH e-gif มาตรฐานด านเทคน ค เพ อการปฏ บ ต การร วมทางอ เล กทรอน กส 1.หมวดการเช อมโยง 2.หมวดการแลกเปล ยนข อม ล - XML, XML Schema, SOAP, WSDL, UDDI, XSL 3.หมวดร ปแบบการจ ดเก บข อม ลและน าเสนอข อม ล 4.หมวดความม นคงปลอดภ ยของข อม ลและระบบข อม ล - การเข ารห ส, XML Signature, XML Encryption, WS-Security 5.หมวดอ นๆ 52
53 Agenda SOA and Web Services Security - Overview SOA and Web Services Security Standards SOA and Web Services Security Architecture SOA and Web Services Security Tools and Solutions 53
54 Point-to-Point versus End-to-End Security SSL/TLS offers several security features including authentication, data integrity, and data confidentiality but only for individual hops. Security Context Security Context Requestor Intermediary Web Service What is needed in a comprehensive Web Service security architecture is a mechanism that provides end-to-end security and greater functionality. Security Context Requestor Intermediary Web Service 54
55 Web Service Security 2a. Query Service 2b. Returns the Service Contract Public UDDI 1. Publish Service 3a. Invokes Service per Contract Internet 3b. Request Reaches Web Server XML Firewall 3c. Request Reaches Service Provider Service Consumer 3. Invoke Service Provider 55
56 Web Service Security (Continued) 2a. Query Service 2b. Returns the Service Contract Public UDDI 1. Publish Service 3a. Invokes Service per Contract Internet 3b. Request Reaches Web Server XML Firewall 3c. Request Reaches Service Provider Service Consumer Request Body Signed with Service Consumer Private Key Encrypted with Service Provider s Public Key Includes Service Consumer s X.509 Certificate Web Service Response Signed with Service Provider Private Key Encrypted with Service Consumer s Public Key Includes Service Provider s X.509 Certificate Service Provider Key Store 1. Service Consumer s Certificate 2. Root Certificate of CA Key Store 1. Service Consumer s Certificate 2. Root Certificate of CA 56
57 Web Services Security High Level Architecture Security Token Generation Digital Signature Generation Encrypt Message Decrypt Message Digital Signature Validation Security Token Validation and Setup Security Context Client AppServer Request Security Handler Response SOAP Request + [ WS Security Headers Transport Headers ] Request Security Handler Response EJB or Java Bean Configuration Deployment Descriptor and Service Bindings Decrypt Message Digital Signature Validation Digital Signature Generation Encrypt Message Configuration Deployment Descriptor and Service Bindings 57
58 Agenda SOA and Web Services Security - Overview SOA and Web Services Security Standards SOA and Web Services Security Architecture SOA and Web Services Security Tools and Solutions 58
59 Challenges with XML & Web Services Statement of Problem/Pain XML is the foundation of SOA, but brings new challenges: Scalability: XML is bandwidth, CPU, and memory intensive Performance: some XML apps literally grind to a halt Security: connecting systems never before connected Security: clear text over HTTP with no inherent security Integration: connecting Web services to legacy applications Standards are still in flux Businesses want to move to standardsbased XML but XML is bulky which can cause performance bottlenecks. SOA Businesses want to deploy secure XMLbased applications but security adds further bulk to the application that slows it down. 59
60 Web Service Security is XML Processing Performance is key to security Parsing Schema Validation XPath Filtering Processing Steps XML Decryption Signature Verification Parsing Schema Validation XML Transformation XML Signing XML Encryption Each security function requires XML processing Must implement all services without any compromise Need ability to scale as content and user base grows 60
61 DataPower is Much More than Acceleration Software An SOA Appliance Creating customer value through extreme SOA performance and security Skills & Support Simplifies SOA with specialized devices Accelerates SOA with faster XML throughput Helps secure SOA XML implementations WebSphere DataPower SOA Appliances redefine the boundaries of middleware extending the SOA Foundation with specialized, consumable, dedicated SOA appliances that combine superior performance and hardened security for SOA implementations. 61
62 Web Service Security is XML Processing Performance is key to security Parsing Schema Validation XPath Filtering Time Processing Steps XML Decryption Signature Verification Parsing Schema Validation XML Transformation XML Signing XML Encryption Software only Software w/ DataPower* Crypto Acceleration Each security function requires XML processing Must implement all services without any compromise Need ability to scale as content and user base grows 62 * For demonstration only. Actual processing time varies depending on application.
63 Advantages of an Appliance vs. Software Only Solution WebSphere DataPower Appliance Software Stack on a Typical Server Configuration Config Config Config Config Proprietary Software Apache Tomcat MySQL Firmware Libxml glibc Java Linux OS Config Linux Daemon Config XML Acceleration Crypto Acceleration Hardware Floppy CD Rom USB Port Disk Hardware Optimized hardware, firmware, embedded OS Significantly less moving parts, no complicated software stack Security vulnerabilities eliminated (e.g. no open source, Trojan horses, Java/C++ libraries) No drives/usb ports, tamper-proof case, lock-down configuration Much higher performance, easier to configure, more secure, and cheaper to maintain 63
64 Simple Appliance Configuration for Complex Functionality Fits into your existing environment Address broad organizational needs (Architects, Developers, Network Operations, Security) Complete Configuration from GUI or CLI interface IDE integration/eclipse plug-in XPath / XML config files SNMP SOAP management interface 65
65 SOA Appliances Centralize and Simplify Key Functions Route, transform, and help secure multiple applications without code changes. Lower cost and complexity. Enable new business with unmatched performance. Before SOA Appliance Update application servers individually Security Processing Routing Web services management Transformation New XML standard Access control update Schema validation After SOA Appliances Secure, route, transform for all applications readily No changes to applications 66
66 WebSphere DataPower SOA Appliance Product Line XM70 High volume, low latency messaging Enhanced QoS and performance Simplified, configuration-driven approach to LLM Publish/subscribe messaging High Availability XB60 B2B Messaging (AS2/AS3) Trading Partner Profile Management B2B Transaction Viewer Unparalleled performance Simplified management and configuration XI50 Hardware ESB Any-to-Any conversion at wire-speed Bridges multiple protocols Integrated message-level security XA35 Offload XML processing No more hand-optimizing XML Lowers development costs XS40 Enhanced Security Capabilities Centralized Policy Enforcement Fine-grained authorization Rich authentication 67
67 Standards
68 DataPower and the Standards OASIS: Web Services Security (WSS) TC Web Services Distributed Management (WSDM) Security Services (SAML) XACML Reliable Exchange, Web Services Transactions XSLT/XPATH Conformance Digital Signature Services ebxml Messaging TC WS-I: Basic Security Profile Working Group MC Committee SOAP with Attachments Working Group W3C: XML Protocol WG for SOAP XML Binary WS Addressing XML Key Management Services (XKMS) WG XML Encryption WG XML-DSig WG OMG (Object Management Group): CORBA Security specification ACORD Joint Architecture Group [Framework][Security]
69 Security Features
70 Security: Top Concern for SOA XML Web services easily expose backend systems to customers, partners Traditional security devices do not secure XML/SOAP Solution: Multiple level of defense First Level: XML Security Gateway for enhanced security, scalability, and simplicity Second level: Application server for additional processing
71 Gartner: Web Services Security Best Practices Provide System Security Inspect ALL traffic Transform all messages Mask internal resources Implement XML filtering Secure logging Protect against XML DoS Require good authentication mechanisms Provide Message Security Sign all messages Validate messages (Inbound+Outbound) Time-stamp all messages Ask for Compatibility SSL, SAML, x.509. WS-Security WS-* extensions Build Expertise/Design From Strength Educate Business Leaders Build Centralized Infrastructure SSL is key Use management/security platforms Manage your identities You may need PKI Trust (Really) Your Partners Monitor and Control Therefore, enterprises should investigate tools such as security gateways, SSL concentrators and accelerators, and wire-speed SOAP/XML inspection hardware. -- John Pescatore, Gartner
72 XS40 XML Security Gateway Purpose-Built for SOA Security XML/SOAP Firewall - Filter on any content, metadata or network variables Data Validation - Approve incoming and outgoing XML and SOAP with minimal latency. Message and Field Level Security - WS-Security: Encryption, decryption, digital signatures, etc. XML Web Services Access Control/AAA - SAML, LDAP, RADIUS, etc. Web Services Management - Service Level Management, Service Virtualization, Policy Management Content-based Message Routing Web Application Firewall Capabilities - Security proxy, threat mediation & content processing services for HTTP-based web applications. 73
73 XML and SOAP Firewall Highly Configurable Request and Response Filtering - IP-layer parameter filtering (client IP address, etc.) - SSL parameter filtering (client certificate, etc.) - HTTP header filtering - XPath filtering of any part of SOAP envelope or XML payload - Filtering by Service, URL, etc. Easy point and click XPath Filtering 74
74 XML Threats XML Entity Expansion and Recursion Attacks XML Document Size Attacks XML Document Width Attacks XML Document Depth Attacks XML Denial of Service (xdos) XML Wellformedness-based Parser Attacks Jumbo Payloads Recursive Elements MegaTags aka Jumbo Tag Names Public Key DoS XML Flood Resource Hijack Dictionary Attack Message Tampering Falsified Message Data Tampering Message Snooping XPath Injection SQL Injection WSDL Enumeration Routing Detour Schema Poisoning Malicious Morphing Malicious Include also called XML External Entity (XXE) Attack Memory Space Breach XML Encapsulation XML Virus Replay Attack 75
75 XML Threat Scenario (Mis)use-case: XML Denial Of Service (xdos) Heap Dump Hacker Structural XML exploits. E.g. XML Entity Recursion ( Billion Laughs ) SOAP passes through firewalls, DMZ Result: High CPU utilization: 100% by App Server process Out-of-Memory Error in App Server logs Service outage & heap dump Application Server /TomcatBank/services/BankBean 76
76 XML Structural Exploit: Billion Laughs <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE getcustomerfullname[ <!ELEMENT billion (#PCDATA)> <!ENTITY laugh0 "ha"> <!ENTITY laugh1 "&laugh0;&laugh0;"> <!ENTITY laugh2 "&laugh1;&laugh1;"> <!ENTITY laugh3 "&laugh2;&laugh2;">... and so on... <!ENTITY laugh127 "&laugh126;&laugh126;"> ]> <SOAP-ENV:Envelope> <SOAP-ENV:Body> <getcustomerfullname> <customerid xsi:type="xsd:string"> </customerid> <billion>&laugh127;</billion> </getcustomerfullname> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 77
77 XML Threat Solution: xdos Protection Hacker XML Attacks are stopped & logged Protects any App Server hosting Web Services Non-invasive, Drop-in solution Existing Apps: minimal changes required New Apps: reusable QoS XML Security Appliance Web Service /TomcatBank/services/BankBean 78
78 Access Control Integration Framework (AAA) Authenticate, Authorize, Audit Input Message Transport Headers URL SOAP Method XPath Extract Resource WS-Security SAML X.509 Kerberos Proprietary Tokens LDAP ActiveDirectory SAML Tivoli CA etrust/netegrity RSA Entrust Novell RACF Map Resource LDAP ActiveDirectory SAML Tivoli CA etrust/netegrity RSA Entrust Novell Proprietary Authorize SAML Assertion Credential Mediation IDS Integration Monitoring Audit & Accounting Output Message Extract Identity Authenticate Map Credentials External Access Control Server or Onboard Identity Management Store 79
79 WebSphere DataPower Appliance Deployment Scenarios federated extranet Internet intranet Demilitarized Zone Internet user Demilitarized Zone internal user SOA platform Packet Filter Packet Filter Packet Filter Packet Filter XS40 3. Internal security SOAP enabled enterprise application XS40 Internet XS40 1. Helps protect against incoming attacks; Incoming access control SOAP enabled enterprise application 2. Outgoing access control, SAML injection, role mappings 81
80 Screen Shots
81 83 Configuration Driven, NO Programming
82 Example: Build Web Service Proxy with AAA 84
83 Add a AAA Security Action 85
84 Choose Authentication Method 86
85 DataPower Flash Demo Click Click Icon Icon to to Activate Demo XML Firewall Demo 87
86 Why DataPower? Performance Scenario : WSBench with Web Services Security Windows 2003, 2x3.2Ghz HyperThreaded, 2G mem, 512 cache Datapower, firmware version , 9002-XS40-03[Rev 04] throughput (req/sec) in1out 1in10out 10in1out 10in10out 100in100out Datapower WAS Security (risk of operational loss) XML threats Management of web services framework (risk of operational loss, risk of customer satisfaction) SLAs Monitoring Governance
87 92
Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems
Core Feature Comparison between XML / SOA Gateways and Web Application Firewalls Jason Macy jmacy@forumsys.com CTO, Forum Systems XML Gateway vs Competitive XML Gateways or Complementary? and s are Complementary
More informationIBM WebSphere DataPower
WebSphere DataPower Appliance The perfect XML/Web Services security gateway for SOA Service security, service-level management, mediation & policy enforcement Thomas KW Poon Advisory IT Specialist WebSphere
More informationHolger Reinhardt IBM Deutschland Research & Development GmbH holger.reinhardt@de.ibm.com. Cloud Appliances. 2010-03-07 2010 IBM Corporation
Holger Reinhardt IBM Deutschland Research & Development GmbH holger.reinhardt@de.ibm.com Cloud Appliances 2010-03-07 Disclaimer This document represents the author's views and opinions. It does not necessarily
More informationWeb Services Security with SOAP Security Proxies
Web Services Security with Security Proxies Gerald Brose, PhD Technical Product Manager Xtradyne Technologies AG OMG Web Services Workshop USA 22 April 2003, Philadelphia Web Services Security Risks! Exposure
More informationSecurely Managing and Exposing Web Services & Applications
Securely Managing and Exposing Web Services & Applications Philip M Walston VP Product Management Layer 7 Technologies Layer 7 SecureSpan Products Suite of security and networking products to address the
More informationRedbook Overview Patterns: SOA Design with WebSphere Message Broker and WebSphere ESB
IBM Software for WebSphere Redbook Overview Patterns: SOA Design with WebSphere Message Broker and WebSphere ESB Presenter: Kim Clark Email: kim.clark@uk.ibm.com Date: 27/02/2007 SOA Design with WebSphere
More informationSecure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact
Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact Robert C. Broeckelmann Jr., Enterprise Middleware Architect Ryan Triplett, Middleware Security Architect Requirements
More informationWEB SERVICES SECURITY
WEB SERVICES SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationT-110.5140 Network Application Frameworks and XML Web Services and WSDL 15.2.2010 Tancred Lindholm
T-110.5140 Network Application Frameworks and XML Web Services and WSDL 15.2.2010 Tancred Lindholm Based on slides by Sasu Tarkoma and Pekka Nikander 1 of 20 Contents Short review of XML & related specs
More informationThis Working Paper provides an introduction to the web services security standards.
International Civil Aviation Organization ATNICG WG/8-WP/12 AERONAUTICAL TELECOMMUNICATION NETWORK IMPLEMENTATION COORDINATION GROUP EIGHTH WORKING GROUP MEETING (ATNICG WG/8) Christchurch New Zealand
More informationStrategic Information Security. Attacking and Defending Web Services
Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments
More informationNIST s Guide to Secure Web Services
NIST s Guide to Secure Web Services Presented by Gaspar Modelo-Howard and Ratsameetip Wita Secure and Dependable Web Services National Institute of Standards and Technology. Special Publication 800-95:
More informationCICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282
Web Service Security Anthony Papageorgiou IBM Development March 13, 2012 Session: 10282 Agenda Web Service Support Overview Security Basics and Terminology Pipeline Security Overview Identity Encryption
More informationDataPower SOA Appliances Simplify, Secure, and Accelerate SOA
DataPower SOA Appliances Simplify, Secure, and Accelerate SOA Nitin Thukral, CISSP Canadian National Specialist 2007 IBM Corporation Agenda 1. New Model Required for SOA and Web Services 2. DataPower SOA
More information000-284. Easy CramBible Lab DEMO ONLY VERSION 000-284. Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0
Easy CramBible Lab 000-284 Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0 ** Single-user License ** This copy can be only used by yourself for educational purposes Web: http://www.crambible.com/
More informationDigital Signature Web Service Interface
1 2 Digital Signature Web Service Interface 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 1 Introduction This document describes an RPC interface for a centralized
More informationAgenda. DataPower: A Brief History Application, DMZ, and ESB Trends What is Application Optimization (AO)? Summary
2844 Introducing Application Optimization in WebSphere DataPower SOA Appliances Adolfo Rodriguez, PhD, STSM, DataPower Architect Agenda DataPower: A Brief History Application, DMZ, and ESB Trends What
More informationIBM WebSphere DataPower Integration Appliance XI52
IBM WebSphere DataPower Integration Appliance XI52 Save time, reduce cost, and improve security with this purpose-built appliance for application integration Highlights Save time, reduce cost and improve
More informationDiscovering the value of IBM WebSphere DataPower SOA Appliances
Group An IBM Proof of Technology Discovering the value of IBM WebSphere DataPower SOA Appliances Firmware version 3.8 Lab Exercises 2010 IBM Corporation PoT.WebSphere.08.4.060.10 Author: Gerry Kaplan,
More informationCreating a Strong Security Infrastructure for Exposing JBoss Services
Creating a Strong Security Infrastructure for Exposing JBoss Services JBoss Enterprise SOA Platform Service Clients Service Gateway Enterprise Services Blake Dournaee, Product Management, Intel SOA Products
More informationWeb Service Security Vulnerabilities and Threats in the Context of WS-Security
Web Service Security Vulnerabilities and Threats in the Context of WS-Security Jesper Holgersson Eva Söderström University of Skoevde, Sweden SIIT 2005, ITU, Geneva, September 2005 Outline of presentation
More informationAn Oracle White Paper Dec 2013. Oracle Access Management Security Token Service
An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,
More informationRun-time Service Oriented Architecture (SOA) V 0.1
Run-time Service Oriented Architecture (SOA) V 0.1 July 2005 Table of Contents 1.0 INTRODUCTION... 1 2.0 PRINCIPLES... 1 3.0 FERA REFERENCE ARCHITECTURE... 2 4.0 SOA RUN-TIME ARCHITECTURE...4 4.1 FEDERATES...
More informationAquaLogic Service Bus
AquaLogic Bus Wolfgang Weigend Principal Systems Engineer BEA Systems 1 What to consider when looking at ESB? Number of planned business access points Reuse across organization Reduced cost of ownership
More informationIntegrated Systems & Solutions. Some Performance and Security Findings Relative to a SOA Ground Implementation. March 28, 2007. John Hohwald.
Some Performance and Security Findings Relative to a SOA Ground Implementation March 28, 2007 John Hohwald Slide 1 Ground SOA Implementation Issues SOA Benchmarking Benchmarked a variety of vendors IBM
More informationService Virtualization: Managing Change in a Service-Oriented Architecture
Service Virtualization: Managing Change in a Service-Oriented Architecture Abstract Load balancers, name servers (for example, Domain Name System [DNS]), and stock brokerage services are examples of virtual
More information000-609. IBM WebSphere Data Power SOA Applicances V3.8.1 Solution IMP. Version: Demo. Page <<1/10>>
000-609 IBM WebSphere Data Power SOA Applicances V3.8.1 Solution IMP Version: Demo Page 1. Which of the following is an advantage of using WS-Security instead of SSL? A. Provides assured message
More informationPrinciples and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)
Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards) Michael P. Papazoglou (INFOLAB/CRISM, Tilburg University, The Netherlands)
More informationCopyright 2012, Oracle and/or its affiliates. All rights reserved.
1 OTM and SOA Mark Hagan Principal Software Engineer Oracle Product Development Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 3 PARADIGM 4 Content What is SOA?
More informationWeb Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008
Web Services Security: What s Required To Secure A Service-Oriented Architecture An Oracle White Paper January 2008 Web Services Security: What s Required To Secure A Service-Oriented Architecture. INTRODUCTION
More informationPresented By: Muhammad Afzal 08May, 2009
Secure Web ServiceTransportation for HL7 V3.0 Messages Authors: Somia Razzaq, Maqbool Hussain, Muhammad Afzal, Hafiz Farooq Ahmad Presented By: Muhammad Afzal 08May, 2009 NUST School of Electrical Engineering
More informationWeb Services Trust and XML Security Standards
Web Services Trust and XML Security Standards Date: April 9, 2001 Version: 1.0 Copyright 2001-2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States
More informationDataPower SOA Appliances Product Family
DataPower in a Web 2.0 World Brien Muschett, Lead DataPower Web 2.0 Engineer Robert Peterson, DataPower Specialist, Master Inventor Adolfo Rodriguez, STSM, WebSphere DataPower Architect Agenda Understanding
More informationA Gateway to Web Services Security Securing SOAP with Proxies
A Gateway to Web Services Security Securing with Proxies Gerald Brose Xtradyne Technologies Schönhauser Allee 6-7, 10119 Berlin, Germany gerald.brose@xtradyne.com Abstract. Integrating applications and
More informationFederated Identity and Trust Management
Redpaper Axel Buecker Paul Ashley Neil Readshaw Federated Identity and Trust Management Introduction The cost of managing the life cycle of user identities is very high. Most organizations have to manage
More informationNetwork Security. Chapter 10. Application Layer Security: Web Services. Part I: Introduction to Web Services
Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universität München, Germany Part I: Introduction to Web Services Network Security Chapter 10 Application Layer Security:
More informationSecuring Web Services From Encryption to a Web Service Security Infrastructure
Securing Web Services From Encryption to a Web Service Security Infrastructure Kerberos WS-Security X.509 TLS Gateway OWSM WS-Policy Peter Lorenzen WS-Addressing Agent SAML Policy Manager Technology Manager
More informationManaging SOA Security and Operations with SecureSpan
Managing SOA Security and Operations with SecureSpan Francois Lascelles Technical Director, Layer 7 Technologies 1 Customers Revenue About Layer 7 Layer 7 is the leading vendor of security and governance
More informationWebSphere Integration Solutions. IBM Day Minsk 2014. Anton Litvinov WebSphere Connectivity Professional Central Eastern Europe
WebSphere Integration Solutions IBM Day Minsk 2014 Ann Litvinov WebSphere Connectivity Professional Central Eastern Europe 1 Agenda 1 Understand vision for ESB capabilities 2 Understand DataPower Basics
More informationWeb Services Advanced Topics
Web Services Advanced Topics Where things are now and where they are going Version 9 Web Services Advanced Topics WSAdvanced-2 Enterprise Web Services Industry trends and organizations Security and Reliability
More informationINTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE
INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE Legal Marks No portion of this document may be reproduced or copied in any form, or by
More informationCHAPTER - 3 WEB APPLICATION AND SECURITY
CHAPTER - 3 WEB APPLICATION AND SECURITY 3.1 Introduction Web application or Wepapp is the general term that is normally used to refer to all distributed web-based applications. According to the more technical
More informationSecurity in integration and Enterprise Service Bus(ESB) Anton Panhelainen Principal Technology Consultant Tieto Oy anton.panhelainen@tieto.
Security in integration and Enterprise Service Bus(ESB) Anton Panhelainen Principal Technology Consultant Tieto Oy anton.panhelainen@tieto.com 1 About Anton Panhelainen 12 years of experience building
More informationWhite Paper Delivering Web Services Security: The Entrust Secure Transaction Platform
White Paper Delivering Web Services Security: September 2003 Copyright 2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.
More information000-609_. http://www.gratisexam.com/ Number: 000-000 Passing Score: 800 Time Limit: 120 min File Version: 1.0 IBM 000-609
000-609_ Number: 000-000 Passing Score: 800 Time Limit: 120 min File Version: 1.0 http://www.gratisexam.com/ IBM 000-609 000-609 IBM WebSphere Datapower SOA Appliances Firmware V3.8.1, Solution Implementation
More informationBarracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper
Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper Securing Web Applications As hackers moved from attacking the network to attacking the deployed applications, a category
More informationA standards-based approach to application integration
A standards-based approach to application integration An introduction to IBM s WebSphere ESB product Jim MacNair Senior Consulting IT Specialist Macnair@us.ibm.com Copyright IBM Corporation 2005. All rights
More informationCA SOA Security Manager
CA SOA Security Manager Implementation Guide r12.1 Second Edition This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for your informational
More informationWeb Services Implementation: The Beta Phase of EPA Network Nodes
Web Services Implementation: The Beta Phase of EPA Network Nodes Connie Dwyer and Chris Clark U.S. Environmental Protection Agency, 1200 Pennsylvania Avenue, N. W., Washington, D.C. dwyer.connie@epa.gov
More informationA Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED
A Signing Proxy for Web Services Security Dr. Ingo Melzer RIC/ED What is a Web Service? Infrastructure Web Service I. Melzer -- A Signing Proxy for Web Services Security 2 What is a Web Service? basic
More informationApigee Gateway Specifications
Apigee Gateway Specifications Logging and Auditing Data Selection Request/response messages HTTP headers Simple Object Access Protocol (SOAP) headers Custom fragment selection via XPath Data Handling Encryption
More informationXML Signatures in an Enterprise Service Bus Environment
XML Signatures in an Enterprise Bus Environment Eckehard Hermann Research & Development XML Integration Uhlandstraße 12 64297 Darmstadt, Germany Eckehard.Hermann@softwareag.com Dieter Kessler Research
More informationWEB SERVICES. Revised 9/29/2015
WEB SERVICES Revised 9/29/2015 This Page Intentionally Left Blank Table of Contents Web Services using WebLogic... 1 Developing Web Services on WebSphere... 2 Developing RESTful Services in Java v1.1...
More informationImproving performance for security enabled web services. - Dr. Colm Ó héigeartaigh
Improving performance for security enabled web services - Dr. Colm Ó héigeartaigh Agenda Introduction to Apache CXF WS-Security in CXF 3.0.0 Securing Attachments in CXF 3.0.0 RS-Security in CXF 3.0.0 Some
More informationWeb Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.
Web Services Security: OpenSSO and Access Management for SOA Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.com 1 Agenda Need for Identity-based Web services security Single Sign-On
More informationIntroduction into Web Services (WS)
(WS) Adomas Svirskas Agenda Background and the need for WS SOAP the first Internet-ready RPC Basic Web Services Advanced Web Services Case Studies The ebxml framework How do I use/develop Web Services?
More informationGetting Started with Service- Oriented Architecture (SOA) Terminology
Getting Started with - Oriented Architecture (SOA) Terminology Grace Lewis September 2010 -Oriented Architecture (SOA) is a way of designing, developing, deploying, and managing systems it is neither a
More informationSCA-based Enterprise Service Bus WebSphere ESB
IBM Software Group SCA-based Enterprise Service Bus WebSphere ESB Soudabeh Javadi, WebSphere Software IBM Canada Ltd sjavadi@ca.ibm.com 2007 IBM Corporation Agenda IBM Software Group WebSphere software
More informationWeb Services Technologies
Web Services Technologies XML and SOAP WSDL and UDDI Version 16 1 Web Services Technologies WSTech-2 A collection of XML technology standards that work together to provide Web Services capabilities We
More informationIntro to Firewalls. Summary
Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer
More information<Insert Picture Here> Oracle Web Services Manager (WSM)
Oracle Web Services Manager (WSM) Marc Chanliau Director, Product Management Outline Introduction Product Overview Typical Use-Case Scenarios Roadmap Q & A Introduction
More informationIBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide
IBM SPSS Collaboration and Deployment Services Version 6 Release 0 Single Sign-On Services Developer's Guide Note Before using this information and the product it supports, read the information in Notices
More informationThis presentation covers virtual application shared services supplied with IBM Workload Deployer version 3.1.
This presentation covers virtual application shared services supplied with IBM Workload Deployer version 3.1. WD31_VirtualApplicationSharedServices.ppt Page 1 of 29 This presentation covers the shared
More informationSentinet for BizTalk Server SENTINET
Sentinet for BizTalk Server SENTINET Sentinet for BizTalk Server 1 Contents Introduction... 2 Sentinet Benefits... 3 SOA and APIs Repository... 4 Security... 4 Mediation and Virtualization... 5 Authentication
More informationIntroduction to WebSphere Process Server and WebSphere Enterprise Service Bus
Introduction to WebSphere Process Server and WebSphere Enterprise Service Bus Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 4.0.3 Unit objectives
More informationRedpaper. IBM WebSphere DataPower SOA Appliances. Part II: Authentication and Authorization. Front cover. ibm.com/redbooks
Front cover IBM WebSphere DataPower SOA Appliances Part II: Authentication and Authorization Integrate IBM Tivoli Access Manager with your DataPower appliance Implement enterprise security and identity
More informationExam Name: Test284,IBM WbS.DataPower SOA
Exam Code: 000-284 Exam Name: Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0 Vendor: IBM Version: DEMO Part: A 1: A company requires the transformation of a CSV (comma-separated values) file
More informationDeveloping Java Web Services
Page 1 of 5 Developing Java Web Services Hands On 35 Hours Online 5 Days In-Classroom A comprehensive look at the state of the art in developing interoperable web services on the Java EE platform. Students
More informationIntroduction to SAML
Introduction to THE LEADER IN API AND CLOUD GATEWAY TECHNOLOGY Introduction to Introduction In today s world of rapidly expanding and growing software development; organizations, enterprises and governments
More informationFederated Identity Management Solutions
Federated Identity Management Solutions Jyri Kallela Helsinki University of Technology jkallela@cc.hut.fi Abstract Federated identity management allows users to access multiple services based on a single
More informationOracle Service Bus. User Guide 10g Release 3 Maintenance Pack 1 (10.3.1) June 2009
Oracle Service Bus User Guide 10g Release 3 Maintenance Pack 1 (10.3.1) June 2009 Oracle Service Bus User Guide, 10g Release 3 Maintenance Pack 1 (10.3.1) Copyright 2007, 2008, Oracle and/or its affiliates.
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationSecure Authentication and Session. State Management for Web Services
Lehman 0 Secure Authentication and Session State Management for Web Services Clay Lehman CSC 499: Honors Thesis Supervised by: Dr. R. Michael Young Lehman 1 1. Introduction Web services are a relatively
More informationSoftware Requirement Specification Web Services Security
Software Requirement Specification Web Services Security Federation Manager 7.5 Version 0.3 (Draft) Please send comments to: dev@opensso.dev.java.net This document is subject to the following license:
More informationSCUR203 Why Do We Need Security Standards?
SCUR203 Why Do We Need Security Standards? Cristina Buchholz Product Security, SAP Learning Objectives As a result of this workshop, you will be able to: Recognize the need for standardization Understand
More informationIONA Security Platform
IONA Security Platform February 22, 2002 Igor Balabine, PhD IONA Security Architect Copyright IONA Technologies 2001 End 2 Anywhere Agenda IONA Security Platform (isp) architecture Integrating with Enterprise
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationMaking Reliable Web Services Message Exchanges Secure and Tamper Proof. Alan J Weissberger. Data Communications Technology. aweissberger@sbcglobal.
Making Reliable Web Services Message Exchanges Secure and Tamper Proof Alan J Weissberger Data Communications Technology aweissberger@sbcglobal.net I. Composability of WS Reliability with WS Security IBM,
More informationSetup Guide Access Manager 3.2 SP3
Setup Guide Access Manager 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE
More information000-371. Web Services Development for IBM WebSphere Application Server V7.0. Version: Demo. Page <<1/10>>
000-371 Web Services Development for IBM WebSphere Application Server V7.0 Version: Demo Page 1. Which of the following business scenarios is the LEAST appropriate for Web services? A. Expanding
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationResearch on the Model of Enterprise Application Integration with Web Services
Research on the Model of Enterprise Integration with Web Services XIN JIN School of Information, Central University of Finance& Economics, Beijing, 100081 China Abstract: - In order to improve business
More informationData Security and Governance with Enterprise Enabler
Copyright 2014 Stone Bond Technologies, L.P. All rights reserved. The information contained in this document represents the current view of Stone Bond Technologies on the issue discussed as of the date
More informationNetwork Access Security. Lesson 10
Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.
More informationJava Security Web Services Security (Overview) Lecture 9
Java Security Web Services Security (Overview) Lecture 9 Java 2 Cryptography Java provides API + SPI for crypto functions Java Cryptography Architecture Security related core classes Access control and
More informationBasic & Advanced Administration for Citrix NetScaler 9.2
Basic & Advanced Administration for Citrix NetScaler 9.2 Day One Introducing and deploying Citrix NetScaler Key - Brief Introduction to the NetScaler system Planning a NetScaler deployment Deployment scenarios
More informationExploring ADSS Server Signing Services
ADSS Server is a multi-function server providing digital signature creation and signature verification services, as well as supporting other infrastructure services including Time Stamp Authority (TSA)
More information1 What Are Web Services?
Oracle Fusion Middleware Introducing Web Services 11g Release 1 (11.1.1.6) E14294-06 November 2011 This document provides an overview of Web services in Oracle Fusion Middleware 11g. Sections include:
More information1 What Are Web Services?
Oracle Fusion Middleware Introducing Web Services 11g Release 1 (11.1.1) E14294-04 January 2011 This document provides an overview of Web services in Oracle Fusion Middleware 11g. Sections include: What
More informationXIII. Service Oriented Computing. Laurea Triennale in Informatica Corso di Ingegneria del Software I A.A. 2006/2007 Andrea Polini
XIII. Service Oriented Computing Laurea Triennale in Informatica Corso di Outline Enterprise Application Integration (EAI) and B2B applications Service Oriented Architecture Web Services WS technologies
More informationGet Success in Passing Your Certification Exam at first attempt!
Get Success in Passing Your Certification Exam at first attempt! Exam : C2150-575 Title : IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version : Demo 1.What is the default file name of the
More informationAPIs The Next Hacker Target Or a Business and Security Opportunity?
APIs The Next Hacker Target Or a Business and Security Opportunity? SESSION ID: SEC-T07 Tim Mather VP, CISO Cadence Design Systems @mather_tim Why Should You Care About APIs? Amazon Web Services EC2 alone
More informationFundamentals of SOA Security Testing
Fundamentals of SOA Security Testing by Mamoon Yunus, CEO of Crosscheck Networks Abstract: This article describes the foundations of SOA security testing including functional, performance, interoperability,
More informationExecutive Guide to Web Services Security
Executive Guide to Web Services Security A Reactivity White Paper October 2004 ABSTRACT Businesses are rapidly adopting Web services to provide new levels of integration between applications. By comparison
More informationSTUDY ON IMPROVING WEB SECURITY USING SAML TOKEN
STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN 1 Venkadesh.M M.tech, Dr.A.Chandra Sekar M.E., Ph.d MISTE 2 1 ResearchScholar, Bharath University, Chennai 73, India. venkadeshkumaresan@yahoo.co.in 2 Professor-CSC
More informatione-filing Secure Web Service User Manual
e-filing Secure Web Service User Manual Page1 CONTENTS 1 BULK ITR... 6 2 BULK PAN VERIFICATION... 9 3 GET ITR-V BY TOKEN NUMBER... 13 4 GET ITR-V BY ACKNOWLEDGMENT NUMBER... 16 5 GET RETURN STATUS... 19
More informationPlacement of SOA Applicance in Enterprise Architecture for Middleware Services
International Journal of Information Science and Intelligent System, Vol. 2, No.3, 2013 Placement of SOA Applicance in Enterprise Architecture for Middleware Services Gautam K Bhat 1 1 IBM India, Chennai,
More informationSolutions for Web Services Security
Solutions for Web Services Security Lessons Learned in a Department of Defense Program Kevin T. Smith McDonald Bradley, Inc. Chief Security Architect, The Virtual Knowledge Base Background Virtual Knowledge
More informationMobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems jmacy@forumsys.com
Mobile Identity and Edge Security Forum Sentry Security Gateway Jason Macy CTO, Forum Systems jmacy@forumsys.com Evolution Evolution of Enterprise Identities Cloud Computing Iaas Infrastructure as a Service
More informationCS 356 Lecture 28 Internet Authentication. Spring 2013
CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More information