Securing Web Services with WS-Security

Size: px
Start display at page:

Download "Securing Web Services with WS-Security"

Transcription

1 Securing Web Services with WS-Security Demystifying WS-Security, WS-Policy, SAML, XML Signature and XML Encryption jothy Rosenberg David L. Remy SAMS Sams Publishing, 800 East 96th Street, Indianapolis, Indiana 46240

2 Table of Contents Forewords xx Introduction i Who This Book Is For 1 About This Book 1 How This Book Is Organized 2 I. Basic Concepts ofweb Services Security 5 Web Services Basics : XML, SOAP, andwsdl 6 XML and XML Schema 6 SOAP 7 WSDL 9 UDDI 9 Application Integration 9 B2Ii Business Process Integration 10 Portals 11 Service-Oriented Architectures 11 Definition ofweb Services 12 Security Basics 12 Shared Key and Public Key Technologies 13 Security Concepts and Definitions 16 Web Services Security Basics 19 XML Signature 19 XML Encryption 20 SAML 20 WS-Security 21 Trust Issues 22 Other WS-Security-Related Specs 22 Sununary 22 2 The Foundations ofweb Services 25 The Gestalt ofweb Services 25 Application Integration 25 The Evolution ofdistributed Computing 2$ The Inevitability ofweb Services 32 Security Challenges 35

3 XML: Meta-Language for Data-Oriented Interchange 37 Where XML Came From and Why It's Important 38 XML and Web Services 39 XML Namespaces 39 XML Schema 42 XML Transformations 43 XML's Role in Web Services Security 46 SOAP: XML Messaging and Remote Application Access 49 Where SOAP Came From andwhy It's Important 50 SOAP Envelope 52 SOAP Header 53 SOAP Body 53 SOAP Processing 55 SOAP Attachments 55 SOAP and Web Services Security 55 WSDL ; Schema for XML/SOAP Objects and Interfaces 56 Where WSDL Came From. and Why It's Important 56 WSDL Elements 58 WSDL and SOAP 61 WSDL and Web Services Security 61 UDDI : Publishing and Discovering Web Services 62 ebxml and RosettaNet: Alternative Technologies for Web Services 65 The Web Services Security Specifications 65 Summary 67 ä The Foundations of Distributed Message- Level Security 69 Tbre Challenges ofinformation Security for Web Services 69 Security of Distributed Systems Is Hard 69 Security ofexchanged Information (Messages) Is Harder 70 Security ofweb Services Is Hardest 71

4 Viii Contents Shared Key Technologies 72 Shared Key Encryption 72 Kerberos 75 Limitations ofshared Key Technologies 76 Public Key Technologies 76 Public Key Encryption 76 Limitations ofpublic Key Encryption 79 Digital Signature Basics 80 A Digital Signature Expressed in XML 85 Public Key Infrastructure 86 SSLTransport Layer Security 97 Summary Safeguarding the Identity and Integrity of XMI. Messages 105 Introduction To and Motivation for XML Signature 105 AW3C Standard 105 Critical Building Block forws-security 105 Close Associations with Web Services Security 106 The Goal ofensuring Integrity (and Usually Identity) and Non-repudiation Persistently 106 XML Signature and XML Encryption : Fundamental Web Services Security Technologies 106 XML Signature Fundamentals 107 XML Signature Structure 107 Basic Structure 108 Specifying the Items Being Signed 109 Types ofxml Signatures 109 The Signature Element Schema 113 XML Signature Processing 116 XML Signature Generation 1.17 XML SignatureValidation 119 The XML Signature Elements 120 The Signedinfo Element 120 The Canonical iaationmethod Element and Canonicalization 120

5 Contents ix The SignatureMethod Element 125 The Reference Element 125 The Transform Element 127 The DigestMethod Element 132 The Digestvalue Element 133 The signaturevalue Element 133 The object Element 133 The Keyin o Element 137 Security Strategies for XML Signature 140 Using Transforms 140 Mxowing the Security Model 141 KnowingYour Keys 142 Signing Object Elements 142 Signing DTDs with Entity References 142 Summary Ensuring Confidentiality ofxml Messages 147 Introduction to and Motivation for XML Encryption 147 Relating XML Encryption and XML Signature 147 Critical Building Block for WS-Security 148 The Goal Is to Ensure Confidentiality of Messages from End to End with Different Recipients 149 Think Shared Key CryptographyWhenYou Think of XML Encryption 149 XML Encryption Will Become Part of the Infrastructure Like XML Signature 149 XML Encryption Fundamentals 150 XML Encryption Structure 151 EncryptedData:The Core ofxml Encryption 151 EncryptedData Schema 152 EncryptedType 153 EncryptionMethod 154 CipherData 154 Encrypt ionproperties 155

6 x Contents Keyinfo 156 Encrypt:edKey 157 AgreementMethod 159 Ref erencelist 160 CarriedKeyName 161 Super Encryption 162 XML Encryption Processing 1.63 Encryption Process 163 Decryption Process 164 Using XML Encryption and XML Signature Together 165 The Decryption Transform for XML Signature 168 XML Encryption and XML Signature Strategies 175 Summary Portable Identity, Authentication, and Authorization 3,77 Introduction to and Motivation for SAML 178 The Problems SAML Addresses 179 Transporting Identity or "Portable Trust" 181 The Concept oftrust Assertions 181 How SAML Works 181 SAML Assertions 184 SAML Producers and Consumers 188 SAML Protocol 189 Authorization Request 191 SAML Bindings 192 SAML Profiles 194 Using SAML with WS-Security 195 Tile WS-Security SAML Profile 196 Applying SAML: Project Liberty 197 The Identity Problem 197 Federated Identity 197 How Liberty Uscs SAML 198 The Microsoft Passport Alternative Approach 199 Summary 200

7 Contents 7 Building Security into SOAP 201 Introduction to and Motivation forws-security 201 Problems and Goals 201 The Origins ofws-security 205 WS-Security Is Foundational 206 Extending SOAP with Security 206 Security Tokens inws-security 208 UsernameToken 209 BinarySecuri.t:yTokens 21.2 XML Tokens 215 Referencing Security Tokens 220 Providing Confidentiality : XML Encryption in WS-Security 222 Shared Key XML Encryption 222 Wrapped Key XML Encryption 223 Encrypting Attachments 224 WS-Security Encryption Summary 227 Providing Integrity : XML Signature in WS-Security 227 XML Signature forvalidating a Security Token 227 XML Signature for Message Integrity 228 XML Signature in WS-Security Considerations 228 WS-Security XML Signature Example 228 Signing a Security Token Reference 229 Message Time Stamps 230 Summary Communicating Security Policy 235 WS-Policy 235 WS-Policy and WSDL 236 WS-Policy and WS-SecurityPolicy 236 The WS-Policy Framework 237 WS-Policy Details 238 WS-PolicyAssertions 240 WS-PofcyAttachment 241 Specifying WS-Policy in WSDL 242

8 x1i Contents WS-SecurityPolicy 245 SecurityToken 245 integrity 248 Confidentiality 250 Visibility 251 SecurityHeader 252 MessageAge 253 Summary Trust, Access Control, and Rights for Web Services 255 The WS-* Family of Security Specifications 255 WS-* Security Specifications fortrust Relationships 258 WS-* Security Specifications for Interoperabiiity 265 WS-* Security Specifications for Integration 269 XML Key Management Specification (XKMS) 272 Origins ofxkms 272 Goals of XKMS 272 The XKMS Services 273 extensible Access Control Markup Language (XACML) Specification 279 The XACML Data Model 280 XACML Operation 281 XACML Policy Example 282 extensible Rights Markup Language (XrML) Management Specification 284 The XrML Data Model 285 XrML Use Case Example 285 Summary Building a Secure Web Service Using BEA's WebLogic Workshop 293 Security Layer Walkthrough 294 Transport-Level Security 295 Message-Level Security 296 Role-Based Security 297

9 Contents xiii WebLogic Workshop Web Service Walkthrough 297 Transport Security 302 Message-Based Security 312 Summary 330 A Security, Cryptography, and Protocol Background Material 331 The SSL Protocol 331 Testing for Primality 333 RSA Cryptography 334 Choosing RSA Key Pairs 335 Padding 335 RSA Encryption 335 RSA Decryption 336 DSA Digital Signature Algorithms 336 DSA. Key Generation 336 DSA Algorithm Operation 337 Block Cipher Processing 337 Block Cipher Padding (PKCS#5) 337 Block Cipher Feedback 338 DES Encryption Algoritluii 338 AES Encryption Algorithm 339 Hashing Details and Requirements 339 Motivation for Using Hash Functions 340 Requirements for Digital Signature 340 SHA1 340 Collision Resistance 341 Security 341 Simplicity and Efficiency 341 Silvio Micali's FastValidation/Revocation. 341 Vilidity Check 342 Revocation 343 Canonicalization ofmessages for Digital Signature Manifests 343 CanonicalizationV1 Transform Steps 343. Canonicalization Subtleties : E%clusive Canonicalization 344

10 AV Contents Base-64 Encoding 345 PGP 346 Glossary 347 Index 367

This Working Paper provides an introduction to the web services security standards.

This Working Paper provides an introduction to the web services security standards. International Civil Aviation Organization ATNICG WG/8-WP/12 AERONAUTICAL TELECOMMUNICATION NETWORK IMPLEMENTATION COORDINATION GROUP EIGHTH WORKING GROUP MEETING (ATNICG WG/8) Christchurch New Zealand

More information

02267: Software Development of Web Services

02267: Software Development of Web Services 02267: Software Development of Web Services Week 11 Hubert Baumeister huba@dtu.dk Department of Applied Mathematics and Computer Science Technical University of Denmark Fall 2015 1 Contents WS-Policy Web

More information

Java Security Web Services Security (Overview) Lecture 9

Java Security Web Services Security (Overview) Lecture 9 Java Security Web Services Security (Overview) Lecture 9 Java 2 Cryptography Java provides API + SPI for crypto functions Java Cryptography Architecture Security related core classes Access control and

More information

CICS Identity and Security

CICS Identity and Security CICS Identity and Security Leigh Y Compton IBM zgrowth Team Insert Custom Session QR if Desired. lcompton@us.ibm.com Abstract User identity and security is critical to businesses today. This session will

More information

Web Services. Web Service Security. Copyright 2010 Davide Cerri & Srdjan Komazec

Web Services. Web Service Security. Copyright 2010 Davide Cerri & Srdjan Komazec Web Services Web Service Security Copyright 2010 Davide Cerri & Srdjan Komazec 1 Where Are We? # Title 1 Distributed Information Systems 2 Middleware 3 Web Technologies 4 Web Services 5 Basic Web Service

More information

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008 Web Services Security: What s Required To Secure A Service-Oriented Architecture An Oracle White Paper January 2008 Web Services Security: What s Required To Secure A Service-Oriented Architecture. INTRODUCTION

More information

Web Services Security Standards Forum. Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.

Web Services Security Standards Forum. Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc. Web Services Security Standards Forum Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc. Web Services Security Standards For Um For um: Meeting to tell people that everyone agrees on an issue Walk the

More information

Encryption, Signing and Compression in Financial Web Services

Encryption, Signing and Compression in Financial Web Services Danske Bank Encryption, Signing and Compression in Financial Web Services Details of how to call the Danske Bank financial web service Version 2.4.7 Encryption, Signing and Compression in Financial Web

More information

By Koji MIYAUCHI* ABSTRACT. XML is spreading quickly as a format for electronic documents and messages. As a consequence,

By Koji MIYAUCHI* ABSTRACT. XML is spreading quickly as a format for electronic documents and messages. As a consequence, Falsification Prevention and Protection Technologies and Products XML Signature/Encryption the Basis of Web Services Security By Koji MIYAUCHI* XML is spreading quickly as a format for electronic documents

More information

Oracle Security Developer Tools (OSDT) August 2008

<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008 Oracle Security Developer Tools (OSDT) August 2008 Items Introduction OSDT 10g Architecture Business Benefits Oracle Products Currently Using OSDT 10g OSDT 10g APIs Description OSDT

More information

A Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED

A Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED A Signing Proxy for Web Services Security Dr. Ingo Melzer RIC/ED What is a Web Service? Infrastructure Web Service I. Melzer -- A Signing Proxy for Web Services Security 2 What is a Web Service? basic

More information

Technik und Informatik. SOAP Security. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel. Version April 11, 2012

Technik und Informatik. SOAP Security. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel. Version April 11, 2012 SOAP Security Prof. Dr. Eric Dubuis Berner Fachhochschule Biel Version April 11, 2012 Overview Motivation Transport security versus SOAP Security WS-Security stack overview Structure of secured SOAP messages

More information

NIST s Guide to Secure Web Services

NIST s Guide to Secure Web Services NIST s Guide to Secure Web Services Presented by Gaspar Modelo-Howard and Ratsameetip Wita Secure and Dependable Web Services National Institute of Standards and Technology. Special Publication 800-95:

More information

Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards)

Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards) Principles and Foundations of Web Services: An Holistic View (Technologies, Business Drivers, Models, Architectures and Standards) Michael P. Papazoglou (INFOLAB/CRISM, Tilburg University, The Netherlands)

More information

SECURITY FOR XML MESSAGES

SECURITY FOR XML MESSAGES EAN UCC Implementation Guidelines ebmethodology Group Working Group 4 - WG4 DOCUMENT STATUS: DISCUSSION DRAFT DOCUMENT 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

More information

Network Security. Chapter 10. Application Layer Security: Web Services. Part I: Introduction to Web Services

Network Security. Chapter 10. Application Layer Security: Web Services. Part I: Introduction to Web Services Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universität München, Germany Part I: Introduction to Web Services Network Security Chapter 10 Application Layer Security:

More information

Security in B2B. Sami Tähtinen FRENDS Technology, Inc. S-38.153 Security of Communication Protocols January 28 th, 2003

Security in B2B. Sami Tähtinen FRENDS Technology, Inc. S-38.153 Security of Communication Protocols January 28 th, 2003 Security in B2B Sami Tähtinen FRENDS Technology, Inc. S-38.153 Security of Communication Protocols January 28 th, 2003 Contents What is B2B information exchange? Threats against B2B information exchange

More information

XML Encryption Syntax and Processing. Duan,Limiao 07,12,2006

XML Encryption Syntax and Processing. Duan,Limiao 07,12,2006 XML Encryption Syntax and Processing Duan,Limiao 07,12,2006 Agenda Introduction Encryption Overview and Examples - An XML Element - XML Element Content (Elements) - XML Element Content (Character Data)

More information

Web services payment systems. Master Thesis Technical University of Denmark

Web services payment systems. Master Thesis Technical University of Denmark Master Thesis Technical University of Denmark Submitted by Mike Andreasen 31.12.2003 Contents Preface... 5 Introduction... 6 State of the art... 7 Distributed computing evolution... 7 Introduction to XML...

More information

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Copyright 2012, Oracle and/or its affiliates. All rights reserved. 1 OTM and SOA Mark Hagan Principal Software Engineer Oracle Product Development Content What is SOA? What is Web Services Security? Web Services Security in OTM Futures 3 PARADIGM 4 Content What is SOA?

More information

Strategic Information Security. Attacking and Defending Web Services

Strategic Information Security. Attacking and Defending Web Services Security PS Strategic Information Security. Attacking and Defending Web Services Presented By: David W. Green, CISSP dgreen@securityps.com Introduction About Security PS Application Security Assessments

More information

JOHN KNEILING APRIL 3-5, 2006 APRIL 6-7, 2006 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

JOHN KNEILING APRIL 3-5, 2006 APRIL 6-7, 2006 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY) TECHNOLOGY TRANSFER PRESENTS JOHN KNEILING CREATING XML AND WEB SERVICES SOLUTIONS SECURING THE WEB SERVICES ENVIRONMENT APRIL 3-5, 2006 APRIL 6-7, 2006 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME

More information

Web Services Trust and XML Security Standards

Web Services Trust and XML Security Standards Web Services Trust and XML Security Standards Date: April 9, 2001 Version: 1.0 Copyright 2001-2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States

More information

Digital Signature Web Service Interface

Digital Signature Web Service Interface 1 2 Digital Signature Web Service Interface 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 1 Introduction This document describes an RPC interface for a centralized

More information

Presented By: Muhammad Afzal 08May, 2009

Presented By: Muhammad Afzal 08May, 2009 Secure Web ServiceTransportation for HL7 V3.0 Messages Authors: Somia Razzaq, Maqbool Hussain, Muhammad Afzal, Hafiz Farooq Ahmad Presented By: Muhammad Afzal 08May, 2009 NUST School of Electrical Engineering

More information

Securing Web Services From Encryption to a Web Service Security Infrastructure

Securing Web Services From Encryption to a Web Service Security Infrastructure Securing Web Services From Encryption to a Web Service Security Infrastructure Kerberos WS-Security X.509 TLS Gateway OWSM WS-Policy Peter Lorenzen WS-Addressing Agent SAML Policy Manager Technology Manager

More information

XML Signatures in an Enterprise Service Bus Environment

XML Signatures in an Enterprise Service Bus Environment XML Signatures in an Enterprise Bus Environment Eckehard Hermann Research & Development XML Integration Uhlandstraße 12 64297 Darmstadt, Germany Eckehard.Hermann@softwareag.com Dieter Kessler Research

More information

Web Services Security Using SOAP, WSDL and UDDI

Web Services Security Using SOAP, WSDL and UDDI Web Services Security Using SOAP, WSDL and UDDI by Lin Yan A Thesis Submitted to the Faculty of Graduate Studies in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE Department

More information

Digital Signature with Hashing and XML Signature Patterns

Digital Signature with Hashing and XML Signature Patterns Digital Signature with Hashing and XML Signature Patterns Keiko Hashizume, Eduardo B. Fernandez, and Shihong Huang Dept. of Computer Science and Engineering, Florida Atlantic University Boca Raton, FL

More information

Web Service Security Vulnerabilities and Threats in the Context of WS-Security

Web Service Security Vulnerabilities and Threats in the Context of WS-Security Web Service Security Vulnerabilities and Threats in the Context of WS-Security Jesper Holgersson Eva Söderström University of Skoevde, Sweden SIIT 2005, ITU, Geneva, September 2005 Outline of presentation

More information

Web Services Security with SOAP Security Proxies

Web Services Security with SOAP Security Proxies Web Services Security with Security Proxies Gerald Brose, PhD Technical Product Manager Xtradyne Technologies AG OMG Web Services Workshop USA 22 April 2003, Philadelphia Web Services Security Risks! Exposure

More information

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems Core Feature Comparison between XML / SOA Gateways and Web Application Firewalls Jason Macy jmacy@forumsys.com CTO, Forum Systems XML Gateway vs Competitive XML Gateways or Complementary? and s are Complementary

More information

WEB SERVICES SECURITY

WEB SERVICES SECURITY WEB SERVICES SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

The Global Justice Reference Architecture (JRA) Web Services Service Interaction Profile

The Global Justice Reference Architecture (JRA) Web Services Service Interaction Profile The Global Justice Reference Architecture (JRA) Web Services Service Interaction Profile V 1.1 by The Global Infrastructure/Standards Working Group August 1, 2007 Table of Contents Acknowledgements...

More information

CS 356 Lecture 28 Internet Authentication. Spring 2013

CS 356 Lecture 28 Internet Authentication. Spring 2013 CS 356 Lecture 28 Internet Authentication Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

More information

17 March 2013 NIEM Web Services API Version 1.0 URI: http://reference.niem.gov/niem/specification/web-services-api/1.0/

17 March 2013 NIEM Web Services API Version 1.0 URI: http://reference.niem.gov/niem/specification/web-services-api/1.0/ 17 March 2013 NIEM Web Serv vices API Version 1.0 URI: http://reference.niem.gov/niem/specification/web-services-api/1.0/ i Change History No. Date Reference: All, Page, Table, Figure, Paragraph A = Add.

More information

Christoph Bussler. B2B Integration. Concepts and Architecture. With 165 Figures and 4 Tables. IIIBibliothek. Springer

Christoph Bussler. B2B Integration. Concepts and Architecture. With 165 Figures and 4 Tables. IIIBibliothek. Springer Christoph Bussler B2B Integration Concepts and Architecture With 165 Figures and 4 Tables IIIBibliothek Springer Contents Part I Introduction to Business-to-Business Integration.... 1 1 History 3 1.1 Why

More information

Representation of E-documents in AIDA Project

Representation of E-documents in AIDA Project Representation of E-documents in AIDA Project Diana Berbecaru Marius Marian Dip. di Automatica e Informatica Politecnico di Torino Corso Duca degli Abruzzi 24, 10129 Torino, Italy Abstract Initially developed

More information

Web Service Security Management Using Semantic Web Techniques

Web Service Security Management Using Semantic Web Techniques Web Service Security Management Using Semantic Web Techniques Diego Zuquim Guimarães Garcia Institute of Computing University of Campinas POB 6176 Postal Code 13.4-971 Campinas, SP, Brazil +55 19 3788

More information

A PERFORMANCE EVALUATION OF MOBILE WEB SERVICES SECURITY

A PERFORMANCE EVALUATION OF MOBILE WEB SERVICES SECURITY A PERFORMANCE EVALUATION OF MOBILE WEB SERVICES SECURITY Satish Narayana Srirama 1, Matthias Jarke 1,2, Wolfgang Prinz 1,2 1 RWTH Aachen, Informatik V, Ahornstr.55, 52056 Aachen, Germany 2 Fraunhofer FIT,

More information

Software Requirement Specification Web Services Security

Software Requirement Specification Web Services Security Software Requirement Specification Web Services Security Federation Manager 7.5 Version 0.3 (Draft) Please send comments to: dev@opensso.dev.java.net This document is subject to the following license:

More information

Web Services Security

Web Services Security Web Services Security Attacking & Defending Web Services Pete Lindstrom petelind@spire.com SPi RE securit y Fiction This behind the firewall stuff is a bunch of hooey. Web Services Security isn t scary

More information

SAML Implementation Guidelines

SAML Implementation Guidelines 1 2 3 4 SAML Implementation Guidelines Working Draft 01, 27 August 2004 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 Document identifier: sstc-saml-implementation-guidelines-draft-01 Location:

More information

Understanding Oracle Web Services Manager 12c (12.2.1)

Understanding Oracle Web Services Manager 12c (12.2.1) [1]Oracle Fusion Middleware Understanding Oracle Web Services Manager 12c (12.2.1) E56868-01 October 2015 Documentation for developers and administrators that introduces features of the Oracle Web Services

More information

Run-time Service Oriented Architecture (SOA) V 0.1

Run-time Service Oriented Architecture (SOA) V 0.1 Run-time Service Oriented Architecture (SOA) V 0.1 July 2005 Table of Contents 1.0 INTRODUCTION... 1 2.0 PRINCIPLES... 1 3.0 FERA REFERENCE ARCHITECTURE... 2 4.0 SOA RUN-TIME ARCHITECTURE...4 4.1 FEDERATES...

More information

GRID COMPUTING Techniques and Applications BARRY WILKINSON

GRID COMPUTING Techniques and Applications BARRY WILKINSON GRID COMPUTING Techniques and Applications BARRY WILKINSON Contents Preface About the Author CHAPTER 1 INTRODUCTION TO GRID COMPUTING 1 1.1 Grid Computing Concept 1 1.2 History of Distributed Computing

More information

Communication Security for Applications

Communication Security for Applications Communication Security for Applications Antonio Carzaniga Faculty of Informatics University of Lugano March 10, 2008 c 2008 Antonio Carzaniga 1 Intro to distributed computing: -server computing Transport-layer

More information

Federated Service Oriented Architecture for Effects-Based Operations

Federated Service Oriented Architecture for Effects-Based Operations Federated Service Oriented Architecture for Effects-Based Operations Intelligence and Information Systems Matt Brown (720) 88-4014 mebrown@raytheon.com Customer Success Is Our Mission is a trademark of

More information

Building Web Services with Java

Building Web Services with Java Building Web Services with Java MAKING SENSE OF XML, SOAP, WSDL, AND UDDI Second Edition Steve Graham Doug Davis Simeon Simeonov Glen Daniels Peter Brittenham Yuichi Nakamura Paul Fremantle Dieter König

More information

Federated Identity and Trust Management

Federated Identity and Trust Management Redpaper Axel Buecker Paul Ashley Neil Readshaw Federated Identity and Trust Management Introduction The cost of managing the life cycle of user identities is very high. Most organizations have to manage

More information

Improving performance for security enabled web services. - Dr. Colm Ó héigeartaigh

Improving performance for security enabled web services. - Dr. Colm Ó héigeartaigh Improving performance for security enabled web services - Dr. Colm Ó héigeartaigh Agenda Introduction to Apache CXF WS-Security in CXF 3.0.0 Securing Attachments in CXF 3.0.0 RS-Security in CXF 3.0.0 Some

More information

Chapter 12 GRID SECURITY ARCHITECTURE: Requirements,fundamentals, standards, and models

Chapter 12 GRID SECURITY ARCHITECTURE: Requirements,fundamentals, standards, and models Author manuscript, published in Security in Distributed, Grid, Mobile, and Pervasive Computing, Auerbach Publications, pp. 255-288, April, 2007 https://www.nics.uma.es Security in Distributed, Grid, and

More information

An IDL for Web Services

An IDL for Web Services An IDL for Web Services Interface definitions are needed to allow clients to communicate with web services Interface definitions need to be provided as part of a more general web service description Web

More information

Tusker IT Department Tusker IT Architecture

Tusker IT Department Tusker IT Architecture Tusker IT Department System Overview Documents Tusker IT Department Tusker IT Architecture Single Sign On Overview Page 1 Document Information and Approvals VERSION HISTORY Version # Date Revised By Reason

More information

On the Insecurity of XML Security

On the Insecurity of XML Security On the Insecurity of XML Security Juraj Somorovsky Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakultät für Elektrotechnik und Informationstechnik an der Ruhr-Universität Bochum Bochum,

More information

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents

Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents Trusting XBRL: Using the Liberty Web Services Framework to Secure and Authenticate XBRL Documents Farrukh Najmi and Eve Maler farrukh.najmi@sun.com, eve.maler@sun.com Sun Microsystems, Inc. Goals for today's

More information

Security Assertion Markup Language (SAML)

Security Assertion Markup Language (SAML) CS 595G 02/14/06 Security Assertion Markup Language (SAML) Vika Felmetsger 1 SAML as OASIS Standard OASIS Open Standard SAML V2.0 was approved in March, 2005 Blending of two earlier efforts on portable

More information

Contents at a Glance. 1 Introduction 17. 2 Basic Principles of IT Security 23. 3 Authentication and Authorization in

Contents at a Glance. 1 Introduction 17. 2 Basic Principles of IT Security 23. 3 Authentication and Authorization in at a Glance 1 Introduction 17 2 Basic Principles of IT Security 23 3 Authentication and Authorization in SAP NetWeaver Application Server Java 53 4 Single Sign-On 151 5 Identity Provisioning 289 6 Secure

More information

GRA Reliable Secure Web Services Service Interaction Profile Version 1.2 Table of Contents

GRA Reliable Secure Web Services Service Interaction Profile Version 1.2 Table of Contents Table of Contents Acknowledgements... v Document Conventions... vi 1. Introduction and Purpose...1 1.1. Profile Selection Guidance...1 1.2. Usage...1 1.3. Profiles, Standards, and Recommendations...2 1.4.

More information

PKI Uncovered. Cisco Press. Andre Karamanian Srinivas Tenneti Francois Dessart. 800 East 96th Street. Indianapolis, IN 46240

PKI Uncovered. Cisco Press. Andre Karamanian Srinivas Tenneti Francois Dessart. 800 East 96th Street. Indianapolis, IN 46240 PKI Uncovered Andre Karamanian Srinivas Tenneti Francois Dessart Cisco Press 800 East 96th Street Indianapolis, IN 46240 Contents Introduction XIII Part I Core Concepts Chapter 1 Crypto Refresh 1 Confidentiality,

More information

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282 Web Service Security Anthony Papageorgiou IBM Development March 13, 2012 Session: 10282 Agenda Web Service Support Overview Security Basics and Terminology Pipeline Security Overview Identity Encryption

More information

User Management Interfaces for Earth Observation Services Abstract Test Suite

User Management Interfaces for Earth Observation Services Abstract Test Suite User Management Interfaces for Earth Observation Services Abstract Test Suite Primary Author Andrew Woolf, STFC Rutherford Appleton Laboratory Revision history Version Contributors Date Changes 0.1 Andrew

More information

Architectures, and. Service-Oriented. Cloud Computing. Web Services, The Savvy Manager's Guide. Second Edition. Douglas K. Barry. with.

Architectures, and. Service-Oriented. Cloud Computing. Web Services, The Savvy Manager's Guide. Second Edition. Douglas K. Barry. with. Web Services, Service-Oriented Architectures, and Cloud Computing The Savvy Manager's Guide Second Edition Douglas K. Barry with David Dick ELSEVIER AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS

More information

DISTRIBUTED SYSTEMS SECURITY

DISTRIBUTED SYSTEMS SECURITY DISTRIBUTED SYSTEMS SECURITY Issues, Processes and Solutions Abhijit Belapurkar, Yahoo! Software Development India Pvt. Ltd., India Anirban Chakrabarti, Infosys Technologies Ltd., India Harigopal Ponnapalli,

More information

Szolgáltatásorientált rendszerintegráció. WS-* standards

Szolgáltatásorientált rendszerintegráció. WS-* standards Szolgáltatásorientált rendszerintegráció WS-* standards Outline Requirements WS-* standards XML digital signature XML encryption 2 Integration requirements 3 Integration within a company SAP.NET? JEE SQL

More information

DEPLOYING AND INVOKING SECURE WEB SERVICES OVER JXTA FRAMEWORK

DEPLOYING AND INVOKING SECURE WEB SERVICES OVER JXTA FRAMEWORK DEPLOYING AND INVOKING SECURE WEB SERVICES OVER JXTA FRAMEWORK A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF NATURAL AND APPLIED SCIENCES OF MIDDLE EAST TECHNICAL UNIVERSITY BY LHAM GÖRGÜN IN PARTIAL FULFILLMENT

More information

A Web Service Architecture for Enforcing Access Control Policies

A Web Service Architecture for Enforcing Access Control Policies VODCA 2004 Preliminary Version A Web Service Architecture for Enforcing Access Control Policies Claudio Agostino Ardagna 1, Ernesto Damiani 2, Sabrina De Capitani di Vimercati 3, Pierangela Samarati 4

More information

SCUR203 Why Do We Need Security Standards?

SCUR203 Why Do We Need Security Standards? SCUR203 Why Do We Need Security Standards? Cristina Buchholz Product Security, SAP Learning Objectives As a result of this workshop, you will be able to: Recognize the need for standardization Understand

More information

Using WS-Federation and WS-Security for Identity Management in Virtual Organisations

Using WS-Federation and WS-Security for Identity Management in Virtual Organisations Using WS-Federation and WS-Security for Identity Management in Virtual Organisations Demchenko, Yu. , Universiteit van Amsterdam Abstracts The paper provides insight into one of key

More information

OGSA Security Roadmap

OGSA Security Roadmap July, 2002 Draft 1.3 - Revised 7/19/2002 OGSA Security Roadmap Global Grid Forum Specification Roadmap towards a Secure OGSA Frank Siebenlist 1, Von Welch 2, Steven Tuecke 1, Ian Foster 1,2 Nataraj Nagaratnam

More information

Introduction into Web Services (WS)

Introduction into Web Services (WS) (WS) Adomas Svirskas Agenda Background and the need for WS SOAP the first Internet-ready RPC Basic Web Services Advanced Web Services Case Studies The ebxml framework How do I use/develop Web Services?

More information

Complying with PCI Data Security

Complying with PCI Data Security Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring

More information

Exploring ADSS Server Signing Services

Exploring ADSS Server Signing Services ADSS Server is a multi-function server providing digital signature creation and signature verification services, as well as supporting other infrastructure services including Time Stamp Authority (TSA)

More information

An Oracle White Paper November 2009. Oracle Primavera P6 EPPM Integrations with Web Services and Events

An Oracle White Paper November 2009. Oracle Primavera P6 EPPM Integrations with Web Services and Events An Oracle White Paper November 2009 Oracle Primavera P6 EPPM Integrations with Web Services and Events 1 INTRODUCTION Primavera Web Services is an integration technology that extends P6 functionality and

More information

REST and SOAP Services with Apache CXF

REST and SOAP Services with Apache CXF REST and SOAP Services with Apache CXF Andrei Shakirin, Talend ashakirin@talend.com ashakirin.blogspot.com/ Agenda Introduction in Apache CXF New CXF features Project using Apache CXF How CXF community

More information

IT Networks & Security CERT Luncheon Series: Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI

More information

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1

SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1 SMPTE Standards Transition Issues for NIST/FIPS Requirements v1.1 Contents 2010.8.23 DRM inside, Taehyun Kim ETRI, Kisoon Yoon 1 Introduction NIST (National Institute of Standards and Technology) published

More information

Rights Management Services

Rights Management Services www.css-security.com 425.216.0720 WHITE PAPER Microsoft Windows (RMS) provides authors and owners the ability to control how they use and distribute their digital content when using rights-enabled applications,

More information

Chapter 7 Transport-Level Security

Chapter 7 Transport-Level Security Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell

More information

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN 1 Venkadesh.M M.tech, Dr.A.Chandra Sekar M.E., Ph.d MISTE 2 1 ResearchScholar, Bharath University, Chennai 73, India. venkadeshkumaresan@yahoo.co.in 2 Professor-CSC

More information

2 Transport-level and Message-level Security

2 Transport-level and Message-level Security Globus Toolkit Version 4 Grid Security Infrastructure: A Standards Perspective The Globus Security Team 1 Version 4 updated September 12, 2005 Abstract This document provides an overview of the Grid Security

More information

Unit IV: SOAP protocol, XML-RPC, HTTP, SOAP faults and SOAP attachments, Web services, UDDI, XML security

Unit IV: SOAP protocol, XML-RPC, HTTP, SOAP faults and SOAP attachments, Web services, UDDI, XML security Unit IV: SOAP protocol, XML-RPC, HTTP, SOAP faults and SOAP attachments, Web services, UDDI, XML security 1. RPC (Remote Procedure Call) It is often necessary to design distributed systems, where the code

More information

GWD-R.P (submitted for consideration)

GWD-R.P (submitted for consideration) GWD-R.P (submitted for consideration) GGF OGSA Security Workgroup Samuel Meder Frank Siebenlist Von Welch Jarek Gawor Thomas Sandholm Argonne National Laboratory February, 2003 Revised 7/19/2005 A GSSAPI

More information

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform

White Paper Delivering Web Services Security: The Entrust Secure Transaction Platform White Paper Delivering Web Services Security: September 2003 Copyright 2003 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.

More information

Network Security Guidelines And Recommendations

Network Security Guidelines And Recommendations Network Security Guidelines And Recommendations Submitted February 28, 2003 Revised April 16, 2003 WATP No. 0601 Task Order No.: T0002AJM038 Contract No.: GS00T99ALD0203 Abstract This document describes

More information

IBM WebSphere DataPower Integration Appliance XI52

IBM WebSphere DataPower Integration Appliance XI52 IBM WebSphere DataPower Integration Appliance XI52 Save time, reduce cost, and improve security with this purpose-built appliance for application integration Highlights Save time, reduce cost and improve

More information

T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On

T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On T-Check in Technologies for Interoperability: Web Services and Security Single Sign-On Lutz Wrage Soumya Simanta Grace A. Lewis Saul Jaspan December 2007 TECHNICAL NOTE CMU/SEI-2008-TN-026 Integration

More information

A Service Oriented Security Reference Architecture

A Service Oriented Security Reference Architecture International Journal of Advanced Computer Science and Information Technology (IJACSIT) Vol. 1, No.1, October 2012, Page: 25-31, ISSN: 2296-1739 Helvetic Editions LTD, Switzerland www.elvedit.com A Service

More information

On the Insecurity of XML Security

On the Insecurity of XML Security On the Insecurity of XML Security Juraj Somorovsky Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakultät für Elektrotechnik und Informationstechnik an der Ruhr-Universität Bochum Bochum,

More information

Digital Signing Specification

Digital Signing Specification Digital Signing Specification Product: EVM-CR Feature: Digital File Signatures Support to: Defense Cost and Resource Center Contract No: W91WAW-08-D-0031/0008 Tecolote Research, Inc. Date: 07/08/2013 Document

More information

Secure Envelope specification

Secure Envelope specification Secure Envelope specification for Corporate Access File Transfer 2/13/2015 Version 1.0.3 This document defines how a file (e.g. a payment file) which will be sent to the bank is digitally signed by the

More information

SAML Federated Identity at OASIS

SAML Federated Identity at OASIS International Telecommunication Union SAML Federated Identity at OASIS Hal Lockhart BEA Systems Geneva, 5 December 2006 SAML and the OASIS SSTC o SAML: Security Assertion Markup Language A framework for

More information

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview of CSS SSL. SSL Cryptography Overview CHAPTER CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers

More information

Service Virtualization: Managing Change in a Service-Oriented Architecture

Service Virtualization: Managing Change in a Service-Oriented Architecture Service Virtualization: Managing Change in a Service-Oriented Architecture Abstract Load balancers, name servers (for example, Domain Name System [DNS]), and stock brokerage services are examples of virtual

More information

WebService Security. A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol

WebService Security. A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol WebService Security A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol Jam Hamidi Senior Technical Analyst BCcampus, Victoria, British Columbia,

More information

Emerging Technologies Shaping the Future of Data Warehouses & Business Intelligence

Emerging Technologies Shaping the Future of Data Warehouses & Business Intelligence Emerging Technologies Shaping the Future of Data Warehouses & Business Intelligence Service Oriented Architecture SOA and Web Services John O Brien President and Executive Architect Zukeran Technologies

More information

Multi-Level Secure Architecture for Distributed Integrated Web Services

Multi-Level Secure Architecture for Distributed Integrated Web Services Multi-Level Secure Architecture for Distributed Integrated Web s J.G.R.Sathiaseelan Bishop Heber College (Autonomous) Tiruchirappalli 620 017, India jgrsathiaseelan@gmail.com S.Albert Rabara St Joseph

More information

Chapter 6 Electronic Mail Security

Chapter 6 Electronic Mail Security Cryptography and Network Security Chapter 6 Electronic Mail Security Lectured by Nguyễn Đức Thái Outline Pretty Good Privacy S/MIME 2 Electronic Mail Security In virtually all distributed environments,

More information

Lesson 4. An survey of the impact on and use of Web Services in the industry today. Industry 4.1. Industry. 2004 SkillBuilders, Inc. V1.

Lesson 4. An survey of the impact on and use of Web Services in the industry today. Industry 4.1. Industry. 2004 SkillBuilders, Inc. V1. Industry 4.1 Lesson 4 Industry An survey of the impact on and use of Web Services in the industry today. SKILLBUILDERS Industry 4.2 4.2 Lesson Objectives What companies are using it? Popular SOAP Implementations.NET

More information

Digital Rights Management & XML Security Protocols

Digital Rights Management & XML Security Protocols Digital Rights Management & ML Security Protocols Head-to-Head or Hand-in-Hand? Holly Lynne McKinley, SSCP Booz Allen Hamilton McLean, VA Introduction Digital Rights Management brings to mind controversial

More information