CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

Similar documents
IBM WebSphere Data Power SOA Applicances V3.8.1 Solution IMP. Version: Demo. Page <<1/10>>

Secure Identity Propagation Using WS- Trust, SAML2, and WS-Security 12 Apr 2011 IBM Impact

Core Feature Comparison between. XML / SOA Gateways. and. Web Application Firewalls. Jason Macy jmacy@forumsys.com CTO, Forum Systems

An Oracle White Paper Dec Oracle Access Management Security Token Service

Securing Web Services From Encryption to a Web Service Security Infrastructure

Software Requirement Specification Web Services Security

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Redbook Overview Patterns: SOA Design with WebSphere Message Broker and WebSphere ESB

Agenda. DataPower: A Brief History Application, DMZ, and ESB Trends What is Application Optimization (AO)? Summary

This Working Paper provides an introduction to the web services security standards.

AquaLogic Service Bus

CS 356 Lecture 28 Internet Authentication. Spring 2013

Easy CramBible Lab DEMO ONLY VERSION Test284,IBM WbS.DataPower SOA Appliances, Firmware V3.6.0

CICS Identity and Security

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

Presented By: Muhammad Afzal 08May, 2009

WEB SERVICES SECURITY

e-filing Secure Web Service User Manual

PowerCenter Real-Time Development

Java Security Web Services Security (Overview) Lecture 9

DataPower SOA Appliances Product Family

Technik und Informatik. SOAP Security. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel. Version April 11, 2012

Web Services Security with SOAP Security Proxies

Improving performance for security enabled web services. - Dr. Colm Ó héigeartaigh

OIO SAML Profile for Identity Tokens

IBM Tivoli Federated Identity Manager

Apigee Gateway Specifications

PUBLIC Connecting a Customer System to SAP HCI

Custom Encryption in Siebel & Siebel Web Service Security Test Guide 1.0

Final Project Report December 9, Cloud-based Authentication with Native Client Server Applications. Nils Dussart

Web Services Security: What s Required To Secure A Service-Oriented Architecture. An Oracle White Paper January 2008

Secure Authentication and Session. State Management for Web Services

CISCO ACE XML GATEWAY TO FORUM SENTRY MIGRATION GUIDE

WebSphere DataPower Release FIPS and NIST SP a support.

Mid-Project Report August 14 th, Nils Dussart

Web Service Security Vulnerabilities and Threats in the Context of WS-Security

User Management Interfaces for Earth Observation Services Abstract Test Suite

Federated Identity and Trust Management

Exam Name: Test284,IBM WbS.DataPower SOA

NIST s Guide to Secure Web Services

A pattern for the WS-Trust standard for web services

XML Signatures in an Enterprise Service Bus Environment

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

A Conceptual Technique for Modelling Security as a Service in Service Oriented Distributed Systems

How to Secure Mainframe FTP

SCA-based Enterprise Service Bus WebSphere ESB

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

<Insert Picture Here> Oracle Web Services Manager (WSM)

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

A Signing Proxy for Web Services Security. Dr. Ingo Melzer RIC/ED

Web Services. Web Service Security. Copyright 2010 Davide Cerri & Srdjan Komazec

Single Sign-On Implementation Guide

The Role of Identity Enabled Web Services in Cloud Computing

Integrated Systems & Solutions. Some Performance and Security Findings Relative to a SOA Ground Implementation. March 28, John Hohwald.

CA Nimsoft Service Desk

Securing Web Services Using Microsoft Web Services Enhancements 1.0. Petr PALAS PortSight Software Architect

Leveraging Service Oriented Architecture (SOA) to integrate Oracle Applications with SalesForce.com

WebService Security. A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol

Flexible Identity Federation

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

CA Nimsoft Service Desk

Setup Guide Access Manager Appliance 3.2 SP3

AquaLogic ESB Design and Integration (3 Days)

02267: Software Development of Web Services

Mobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems

Get Success in Passing Your Certification Exam at first attempt!

Avaya IP Office 8.1 Configuration Guide

Network Security Protocols

Single Sign-On Implementation Guide

Authentication and Single Sign On

SAP HANA Cloud Integration CUSTOMER

Managing SOA Security and Operations with SecureSpan

SIP Trunking Manual. For Samsung OfficeServ. Sep 18, 2006 doc v Sungwoo Lee Senior Engineer

Single Sign-On Implementation Guide

MQ Authenticate User Security Exit Overview

Axway API Gateway. Version 7.4.1

Agenda. How to configure

The increasing popularity of mobile devices is rapidly changing how and where we

Identity Server Guide Access Manager 4.0

WA2087 Programming Java SOAP and REST Web Services - WebSphere 8.0 / RAD 8.0. Student Labs. Web Age Solutions Inc.

Secure Coding SSL, SOAP and REST. Astha Singhal Product Security Engineer salesforce.com

Criteria for web application security check. Version

A Unified Messaging-Based Architectural Pattern for Building Scalable Enterprise Service Bus

Creating SOAP and REST Services and Web Clients with Ensemble

WebSphere Integration Solutions. IBM Day Minsk Anton Litvinov WebSphere Connectivity Professional Central Eastern Europe

Securing SOA and Web Services with Oracle Enterprise Gateway

By Koji MIYAUCHI* ABSTRACT. XML is spreading quickly as a format for electronic documents and messages. As a consequence,

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into

17 March 2013 NIEM Web Services API Version 1.0 URI:

SAML and OAUTH Technologies WebSphere Application Server

New CICS support for Secure Sockets Layer

Federated Identity Management Solutions

Chapter 17. Transport-Level Security

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

SSL VPN Server Guide. Access Manager 3.2 SP2. June 2013

Securely Managing and Exposing Web Services & Applications

Transcription:

Web Service Security Anthony Papageorgiou IBM Development March 13, 2012 Session: 10282

Agenda Web Service Support Overview Security Basics and Terminology Pipeline Security Overview Identity Encryption Signature DataPower Identity Propagation 2

Web Service Support Overview as a Web Service Provider Web Service Requester SOAP Request COMMAREA or Channel Web Service Pipeline SOAP Response COMMAREA or Channel Existing Program as a Web Service Requester Web Service Provider SOAP Request SOAP Response Web Service Pipeline Channel INVOKE WEBSERVICE Channel Program 3

Security Basics and Terminology Security is based of User ID Command Level Security Resource Level Security etc. The various options for securing Web Services in are aimed at addressing three common needs: Identity Confidentiality Integrity 5

Identity As a Web Service Provider: Need to know who the requester is so that we know what User ID we should run the business logic under so that Security is maintained Authentication Need to prove that the requester is who they say they are. As a Web Service Requester: Need to know what credentials we should provide to the Web Service Provider 6

Confidentiality Web Services allow data in COMMAREAs or Channels to travel outside of via SOAP Messages Need to ensure that the data in our SOAP messages can only be read by the intended recipient Web Service Requester SOAP Request SOAP Response Web Service Pipeline COMMAREA or Channel COMMAREA or Channel 7

Integrity Web Services allow instructions to business logic to travel outside of via SOAP messages Need to ensure that the data in our SOAP messages cannot be tampered with without us knowing Web Service Requester Authentic SOAP Request SOAP Response Web Service Pipeline COMMAREA or Channel COMMAREA or Channel 8

Pipeline Security Overview as a Web Service Provider SOAP Request COMMAREA or Channel TCPIPSERVICE or MQ URIMAP Attach Web Service Pipeline Attach Program as a Web Service Requester SOAP Request Channel URIMAP Web Service Pipeline INVOKE WEBSERVICE Program 9

Identity

Identity Overview Where we get the User ID from... as a Web Service Provider SOAP Request COMMAREA or Channel TCPIPSERVICE URIMAP USERID(...) Attach Web Service Pipeline Attach Program Determine User ID from HTTP Basic Authentication or SSL Certificate 12 ( Default user if neither is present) If User ID is still Default then override this with USERID(...) on URIMAP if present Attach CPIH with the User ID (Context Switch) Security handler determines User ID from credentials in the SOAP header Perform an Attach using the User ID in the DFHWS-USERID container if the User ID was updated during pipeline processing (Context Switch)

Identity Overview What credentials to send... as a Web Service Requester SOAP Request Channel URIMAP XWBAUTH (4.1 onwards) CERTIFICATE(...) Web Service Pipeline INVOKE WEBSERVICE Program 13 For TS V4.1 and above, the XWBAUTH user exit is called to determine username and password for basic authentication credentials given the current User ID and the URI that is being access Can also use the CERTIFICATE(...) attribute if using SSL Security handler determines Identity Credentials from Pipeline Configuration and adds them to the header of the SOAP message. This may or may not be dependant on the current User ID

Identity Scenarios Identity assigned on a per service basis Identity assigned on a per requester basis (basic) Identity assigned on a per requester basis (advanced) Identity from external credentials Identity from X.509 certificates 14

Identity Per Service as a Web Service Provider SOAP Request COMMAREA or Channel TCPIPSERVICE URIMAP USERID(...) Attach Web Service Pipeline Attach Program 15 URIMAP can be used to assign a User ID for the pipeline task. If the User ID (or indeed Tran ID) can be derived directly from the URI of the Service this is the most efficient option. Custom handler could be used, per pipeline, but if this makes a static per pipeline decision then URIMAP is more efficient.

Identity Per Service as a Web Service Requester SOAP Request Channel URIMAP CERTIFICATE(...) Web Service Pipeline INVOKE WEBSERVICE Program DFHWS-USERID As of TS V3.2 for HTTP a check will be made for a Client Mode URIMAP when making an outbound connection. The properties of this URIMAP will be used including Certificate and Ciphers if SSL. Can be achieved with a user handler that updates DFHWS-USERID 16

Identity Per Requester (basic) as a Web Service Provider SOAP Request COMMAREA or Channel TCPIPSERVICE URIMAP Attach Web Service Pipeline Attach Program HTTP Basic Auth SSL Client Certificate Authentication Both configured on TCPIPService 17

Identity Per Requester (basic) as a Web Service Requester SOAP Request Channel URIMAP XWBAUTH (4.1 onwards) Web Service Pipeline INVOKE WEBSERVICE Program User Handler updates DFHWS-USERID or DFHCERTLABEL As of TS V4.1 the XWBAUTH exit is called Can be achieved with a user handler 18

Identity Per Requester (advanced) as a Web Service Provider Trusted Gateway (eg WAS) Secure SSL pipe SOAP Request TCPIPSERVICE URIMAP Attach Web Service Pipeline COMMAREA or Channel Attach Program Various user WS requests 19 A typical pattern is to have a trusted gateway that sends Web Service requests into on behalf of various users This means that users of a service only need security permissions to run the business logic (eg file/program access) but not to connect to For this scenario you need Web service security support

Identity Per Requester (advanced) as a Web Service Requester SOAP Request Channel URIMAP Web Service Pipeline INVOKE WEBSERVICE Program 23 supplied security handler Can add a User ID from DFHWS-USERID (defaults to task user id) into SOAP Header as a User ID without password Mode= Basic, Trust = Blind. To add password WS-Trust or Custom handler would be needed WS-Trust is used by configuring sts_authentication rather than native authentication in the pipeline configuration file

Example Pipeline Configuration User ID in SOAP Header <wsse_handler> <dfhwsse_configuration version="1"> <authentication mode="basic" trust="blind"> </authentication> </dfhwsse_configuration> </wsse_handler> User ID in WS Security header Without password 24

Identity from External Credentials External Credentials are ones that cannot be handled natively by External user id / passwords SAML, LPTA, Kerberos Home grown etc. as Requester and Provider WS-Trust support to call and external Secure Token Service Custom Handler 25

WS-Trust Specification WS-Trust Published as specification 25 February 2005 Submitted to OASIS standardization process Provides a framework for building trust relationships Sender and Receiver in different security domains Security tokens must be vouched for by trusted third party Trusted third party is called the Security Token Service (STS) WS-Trust defines standard protocols and standard WSDL interfaces to communicate with an STS 26

Support of WS-Trust Options 27 Interoperates with a Security Token Server supplied security handler as a Web Service provider Validate the security token in the WS-Security header Exchange the security token in the WS-Security header as a Web Service requester Exchange the security token to be used in the WS-Security header Custom interaction with an STS Provides a Channel Linkable interface to allow user programs to easy call an STS, without understanding WS-Trust Via DFHPIRT Builds and parsers the WS-Trust messages to and from containers

Identity from External Credentials WS-Trust as a Web Service Provider SOAP Request COMMAREA or Channel TCPIPSERVICE URIMAP Attach Web Service Pipeline Attach Program 28 Security handler extracts the credentials from the SOAP header and sends them to a trusted STS which returns the corresponding User ID Secure SSL pipe WS-Trust Security Token Sevice (STS)

Identity from External Credentials WS-Trust as a Web Service Requester SOAP Request COMMAREA or Channel URIMAP Web Service Pipeline INVOKE WEBSERVICE Program 29 Security handler sends the User ID to a trusted STS which returns the corresponding external credentials which it then puts into the SOAP header Secure SSL pipe WS-Trust Security Token Sevice (STS)

Example Pipeline Configuration <wsse_handler> <dfhwsse_configuration version="1"> <sts_authentication action="issue"> <auth_token_type> <namespace>http://...</namespace> <element>mytoken</element> </auth_token_type> </sts_authentication> <sts_endpoint> <endpoint>https://...</endpoint> </sts_endpoint> </dfhwsse_configuration> </wsse_handler> Give us back the corresponding token Namespace and tag name of the SOAP header that contains our security token Location of our STS 30

Identity from X.509 Certificates Datapower Transform to simple identity token in Data Power and use mode = basic, trust=blind Optionally with SSL Supplied security handler Will use the Identity associated with the X.509 certificate used to sign the message body (i.e. Via RACF Keyring) Very CPU heavy, so should only be used as a last resort or for low volume transactions 31

Identity from X.509 Certificates as a Web Service Provider with Data Power SOAP Request Data Power Secure SSL pipe TCPIPSERVICE URIMAP Attach Web Service Pipeline Convert X.509 Certificate to simple security token as a Web Service Requester with Data Power SOAP Request Data Power Secure SSL pipe Convert simple security token to X.509 Certificate and sign the message TCPIPSERVICE URIMAP Web Service Pipeline 32

Identity from X.509 Certificates as a Web Service Provider without Data Power SOAP Request COMMAREA or Channel TCPIPSERVICE URIMAP Assert User ID from X.509 Certificate via RACF lookup (CPU intensive, not recommended) Attach Web Service Pipeline as a Web Service Requester without Data Power Attach Program Sign body using X.509 Certificate specified in the security handler configuration SOAP Request COMMAREA or Channel URIMAP Web Service Pipeline Invoke Webservice Program 33

Example Pipeline Configuration <wsse_handler> <dfhwsse_configuration version="1"> <authentication mode="signature"> <algorithm> http://www.w3.org/2000/09/xmldsig#dsa-sha1 </algorithm> <certificate_label> MY_CERTIFCATE_LABEL </certificate_label> </authentication> </dfhwsse_configuration> </wsse_handler> Get Identity from the XML digital signature For outbound: The hashing algorithm to use to sign For outbound: The certificate to use to sign 34

More Advanced Identity Scenarios Multiple Identity Tokens Asserted Identity can natively handle X.509 and user name tokens Trust = basic/blind/signature can be used to specify asserting (checked) ID. Mode = basic/signature can be used to specify asserted (unchecked) ID. Surrogate Security checks are use to ensure that the Asserting ID has authority to start work for target asserted user ID. 35

Encryption

Encryption Data must be encrypted between Requester and Provider, provides Confidentiality If calls are point to point then use transport encryption (SSL) If service requires WS-Security XML Encryption then you can use DataPower If WS-Security XML Encryption is required and DataPower is not available then the supplied security handler can be used Can decrypt any elements in an inbound message Can only encrypt the body on an outbound message 37

Encryption How we keep our data secret... Transport Level (SSL) SOAP Request COMMAREA or Channel TCPIPSERVICE URIMAP Web Service Pipeline Program SOAP Request COMMAREA or Channel Message Level (XML encryption) SOAP Request COMMAREA or Channel TCPIPSERVICE URIMAP Web Service Pipeline Program SOAP Request COMMAREA or Channel 39

Encryption How we keep our data secret... Combination (XML encryption with SSL) COMMAREA or Channel TCPIPSERVICE URIMAP Web Service Pipeline Program COMMAREA or Channel Data Power DataPower TCPIPSERVICE URIMAP Web Service 40

Example Pipeline Configuration <wsse_handler> <dfhwsse_configuration version="1"> <encrypt_body> <algorithm> http://www.w3.org/2001/04/xmlenc#tripledes-cbc </algorithm> <certificate_label>enccert02</certificate_label> </encrypt_body> <expect_encrypted_body/> </dfhwsse_configuration> </wsse_handler> For Outbound: The algorithm with which to encrypt the message body For Outbound: The Certificate with which to encrypt the message body (recipients public certificate) For Inbound: Flag to reject messages which don't have an encrypted body 42

Sample XML <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number>4019 2445 0277 5567</Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo> 43 <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C56...</CipherValue> </CipherData> </EncryptedData> </PaymentInfo>

Signature Authentic

Signature Data must not have changed since it was sent, Integrity. If encryption is used then a weak form on Integrity is implied It is hard to make meaningful changes to encrypted data In such cases again SSL may be enough If service requires XML Digital Signature then you can use DataPower If DataPower is not available you can use the supplied Security Handler Can verify signature on any elements in an inbound message Can only sign the body on an outbound message 45

Signature How we stop our data changing... only COMMAREA or Channel TCPIPSERVICE URIMAP Web Service Pipeline Program COMMAREA or Channel Data Power DataPower TCPIPSERVICE URIMAP Web Service 47

Example Pipeline Configuration <wsse_handler> <dfhwsse_configuration version="1"> <sign_body> <algorithm> http://www.w3.org/2000/09/xmldsig#rsa-sha1 </algorithm> <certificate_label>sigcert01</certificate_label> </sign_body> <expect_signed_body/> </dfhwsse_configuration> </wsse_handler> For Inbound: Flag to reject messages which don't have a signed body For Outbound: The algorithm with which to sign the message body For Outbound: The certificate with which to sign the message body 48

Signature <S:Envelope> <S:Header> <wsse:security S:mustUnderstand="1" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/07/secext"> <wsse:binarysecuritytoken EncodingType="wsse:Base64Binary"> MIIDQTCC4ZzO7tIgerPlaid1q... [truncated] </wsse:binarysecuritytoken> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...signature data... </ds:signature> </wsse:security> </S:Header> Header contains the signature for OrderAircraft tag in the body <S:Body> <m:orderaircraft quantity= 1 type= 777 config= Atlantic xmlns:m= http://www.boeing.com/aircraftordersubmission /> </S:Body> <S:Envelope> Note: Data is not encrypted in the body 49

DataPower Some more use cases... Monitoring and control Example: centralized ingress management for all Web Services using ITCAM SOA Deep-content routing and data aggregation Example: XPath (content) routing on Web Service parameters Functional acceleration Example: XSLT, WS Security Application-layer security and threat protection Example: XML Denial-of-Service protection, WS Security In-the-clear SOAP/HTTP SOAP In-the-clear SOAP/HTTP Encrypted and Signed SOAP/HTTP SOAP SOAP 50 Clients Malicious SOAP/HTTP Cobol/MQ Cobol/ MQ Appl Service Providers

Identity Propagation New in TS V4.1 z/os 1r11 PK95579, PK83741 & PK98426 Enables two way mapping between dname@realm userid and RACF user ID Allows task association data to include BOTH RACF user and ICRX data Map an identity through the entire enterprise 52

Summary Web Service Security Support Overview Identity Transport and Message Level Native ( User ID) Security tokens WS Trust for non native security tokens X.509 Certificates Encryption Transport and Message Level SSL for Transport level Inbound: XML element encryption for message level Outbound: Whole body encryption for outbound (XML element with data power) Recommend using Data Power Signature Message Level only Inbound: XML element level signing Outbound: Whole body signing for outbound (XML element level with data power) Recommend using Data Power Identity Propagation 54 Propagate originating identity though with ICRX

Google us or check us out at: ibm/developerworks/cicsdev www.ibm.com/cics facebook.com/ibm twitter.com/ibm_ youtube.com/cicsfluff youtube.com/cicsexplorer themasterterminal.com twitter.com/ibm_system_z Explorer Forum ibm.com/developerworks/forums/forum.jspa? forumid=1475&start=0 55 -L list Forum listserv.uga.edu/archives/cics-l.html

Thank you, The future runs on System z Any Questions? http://atlanta.share.org/sessionevaluation Session: 10282 2011 IBM Corporation

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information