Securing your XML and Web service implementations Nattakan Pengphon Technical Specialist Email: nattakan@th.ibm.com 2007 IBM Corporation
TH e-gif มาตรฐานด านเทคน ค เพ อการปฏ บ ต การร วมทางอ เล กทรอน กส 1.หมวดการเช อมโยง 2.หมวดการแลกเปล ยนข อม ล 3.หมวดร ปแบบการจ ดเก บข อม ลและน าเสนอข อม ล 4.หมวดความม นคงปลอดภ ยของข อม ลและระบบข อม ล 5.หมวดอ นๆ 2
Agenda Introduction to XML and Web Services SOA and Web Services Security Standards SOA and Web Services Security Architecture SOA and Web Services Security Tools and Solutions 3
What is XML? XML stands for EXtensible Markup Language XML is a markup language much like HTML XML was designed to carry data, not to display data XML tags are not predefined. You must define your own tags XML is designed to be self-descriptive XML is a W3C Recommendation 4
XML Does not DO Anything Maybe it is a little hard to understand, but XML does not DO anything. XML was created to structure, store, and transport information. XML is just plain text, However, XML-aware applications can handle the XML tags specially. The functional meaning of the tags depends on the nature of the application. The following example is a note to Tove from Jani, stored as XML: 5
XML is Not a Replacement for HTML XML is a complement to HTML. It is important to understand that XML is not a replacement for HTML. In most web applications, XML is used to transport data, while HTML is used to format and display the data. My best description of XML is this: XML is a software and hardware independent tool for carrying information XML was designed to transport and store data. HTML was designed to display data. 6
Example XML Document Root Element XML Element Comment <?xml version="1.0"?> XML Comment <!-- Airplane.XML --> <?xml:stylesheet type="text/xsl" href= Airplane.xsl"?> <Airplane propulsion="propeller" Engines="1"> <Name>Piper Warrior</Name> Text </Airplane> <Dims> <Dim Wing_Span="35Ft"></Dim> <Dim Length="23.8 ft"></dim> </Dims> Processing Instructions XML Prolog XML Attribute Child Elements Of The Root Grandchildren of the Root 7
Parsing XML XML may be well-formed, valid or both An XML document is well-formed if - Starts with <?xml > - Tags strictly nested: <tag>.</tag>. - Certain special characters use symbols < for <, & for & etc < and & used only for tags and symbols. - Comments: <!-- This is a comment --> An XML document is valid if - It specifies and conforms to a XML Schema or Document Type Definition (DTD) Valid XML documents are well-formed Well-formed XML documents might be valid 8
XSL = XML Style Sheets XML does not use predefined tags (we can use any tag-names we like), and the meaning of these tags are not well understood. A <table> element could mean an HTML table, a piece of furniture, or something else - and a browser does not know how to display it. XSL describes how the XML document should be displayed 9
What is XSLT? XSLT stands for extensible Stylesheet Language Transformations (XSLT) XSLT is the most important part of XSL XSLT transforms an XML document into another XML document XSLT uses XPath to navigate in XML documents XSLT is a W3C Recommendation 10
Apply stylesheet to convert to HTML <ticker> <quote> <company>xml Innovations</company> <symbol>xmli</symbol> <exchange>nasdaq NMS</exchange> <change>-7/16</change> <last>27 1/4</last> <pctchange>-1.58</pctchange> <yrhighlow>108, 10 5/8</yrhighlow> <dayhighlow>27 9/16, 26 1/2</dayhighlow> <volume>105,100</volume> <prevclose>27 11/16</prevclose> <open>27 3/8</open> </quote> <quote> <company>xsl Solutions</company> <symbol>xsls</symbol> HTML <exchange>nasdaq NMS</exchange> <change>-9/16</change> <last>45 3/16</last> <pctchange>-1.23</pctchange> <yrhighlow>47 5/16, 25 5/8</yrhighlow> <dayhighlow>45 11/16, 44 1/2</dayhighlow> <volume>3,124,400</volume> <prevclose>45 3/4</prevclose> <open>44 5/8</open> </quote> </ticker> XSLT <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/xsl/transform"> <xsl:template match="* /"><xsl:applytemplates/></xsl:template> <xsl:template match="text() @*"><xsl:value-of select="."/></xsl:template> <xsl:template match="* /"><xsl:valueof/></xsl:template> <xsl:template match="/"><html> <HEAD> <TITLE>Your-Stock-Quote.com</TITLE> </HEAD> <BODY link="#006363" vlink="#006363"> <BASEFONT face="arial" size="2"> <TABLE border="0" cellpadding="0" cellspacing="0" width="400"> <TBODY> <TR> <TD colspan="2" height="25" valign="top"> <TABLE border="0" cellpadding="0" cellspacing="0" width="464"> <TBODY> <TR> <TD align="center" bgcolor="#ffffcc" colspan="2" height="40" valign="top"> <STRONG> 11
XSL Information http://www.w3.org/style/xsl/ http://xml.apache.org/xalan-j/ http://www.alphaworks.ibm.com/nav/xml?open&c=xml+-+xsl http://www.microsoft.com/xml/articles/xmlmodel.asp http://www.w3.org/style/css/ http://www.w3.org/tr/xsl/ http://www.w3.org/tr/xslt http://www.jclark.com/xml/xt.html http://www-106.ibm.com/developerworks/library/hands-on-xsl/index.html http://www-106.ibm.com/developerworks/xml/library/x-xslt/index.html http://www.dpawson.co.uk/xsl/xslvocab.html 12
13 Web Services
What are Web Services? Web services are application components Web services communicate using open protocols Web services are self-contained and self-describing Web services can be discovered using UDDI Web services can be used by other applications XML is the basis for Web services 14
Web Service Architecture Lifecycle: Build Deploy Run WSDL UDDI Find Service Registry Publish Service Description WSDL UDDI Service Requester Bind Service Provider SOAP Web Service 15
Emerging Web Service Standards SOAP - Simple Object Access Protocol WSDL - Web Service Description Language UDDI - Universal Description, Discovery and Integration 16
What is SOAP? SOAP is a simple XML-based protocol to let applications exchange information over HTTP. Or more simple: SOAP is a protocol for accessing a Web Service. SOAP stands for Simple Object Access Protocol SOAP is a communication protocol SOAP is a format for sending messages SOAP is designed to communicate via Internet SOAP is platform independent SOAP is language independent SOAP is based on XML SOAP is simple and extensible SOAP allows you to get around firewalls SOAP is a W3C standard 17
SOAP Messaging Simple enveloping mechanism independent of transport layer Envelope - Body and Headers Body - RPC (Remote Procedure Calls) or Document Messages Headers - Additional information such as security or authorization Envelope Header Body <application data> 18
19 SOAP example
20 SOAP Request/Response
What is WSDL? WSDL is an XML-based language for describing Web services and how to access them. WSDL stands for Web Services Description Language WSDL is based on XML WSDL is used to describe Web services WSDL is also used to locate Web services WSDL is a W3C standard 21
WSDL XML language for describing Web services - As set of endpoints operating on messages - Messages contain either document-oriented or procedure-oriented information - Operations and messages are described abstractly - Then bound to concrete network protocol and message format to create an endpoint Functional description of network accessible services - IDL description - Protocol and deployment details WSDL V1.1 Specification - http://www.w3c.org/tr/wsdl 22
WSDL Usage Two types of WSDL service description documents - Service Interface - Service Implementation Service Interface - Abstract, reusable service definition - Represents a type of service that can be implemented - Elements: types, message, porttype, binding Service Implementation - Implementation of one or more service interfaces - Contains the endpoint reference - Elements: import and service 23
24 WSDL Service Interface <?xml version="1.0"?> <definitions name="stockquoteservice-interface"... <message name="symbolrequest"> <part name="symbol" type="xsd:string"/> </message> <message name="quoteresponse"> <part name="quote" type="xsd:string"/> </message> <porttype name="stockquoteservice"> <operation name="getquote"> <input message="tns:symbolrequest"/> <output message="tns:quoteresponse"/> </operation> </porttype> <binding name="stockquoteservicebinding type="tns:stockquoteservice"> <soap:binding style="rpc" transport="http://schemas.xmlsoap.org/soap/http"/> <operation name="getquote"> <soap:operation soapaction="http://www.getquote.com/getquote"/> <input> <soap:body use="encoded" namespace="urn:live-stock-quotes encodingstyle="http://schemas.xmlsoap.org/soap/encoding/"/> </input> <output> <soap:body use="encoded" namespace="urn:live-stock-quotes" encodingstyle="http://schemas.xmlsoap.org/soap/encoding/"/> </output> </operation> </binding> </definitions>
WSDL Service Implementation <?xml version="1.0"?> <definitions name="stockquoteservice" targetnamespace="http://www.getquote.com/stockquoteservice" xmlns:interface="http://www.getquote.com/stockquoteservice-interface" xmlns:xsd="http://www.w3.org/1999/xmlschema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns="http://schemas.xmlsoap.org/wsdl/"> <import namespace="http://www.getquote.com/stockquoteservice-interface" location="http://localhost:80/services/sqs-interface.wsdl"/> <service name="stockquoteservice"> <documentation>stock Quote Service</documentation> <port name= localhost" binding="interface:stockquoteservicebinding"> <soap:address location="http://localhost:8080/soap/servlet/rpcrouter"/> </port>... </service> </definitions> 25
TH e-gif มาตรฐานด านเทคน ค เพ อการปฏ บ ต การร วมทางอ เล กทรอน กส 1.หมวดการเช อมโยง 2.หมวดการแลกเปล ยนข อม ล - XML, XML Schema, SOAP, WSDL, UDDI, XSL 3.หมวดร ปแบบการจ ดเก บข อม ลและน าเสนอข อม ล 4.หมวดความม นคงปลอดภ ยของข อม ลและระบบข อม ล 5.หมวดอ นๆ 26
Agenda Introduction to XML and Web Services Security SOA and Web Services Security Standards SOA and Web Services Security Architecture SOA and Web Services Security Tools and Solutions 27
28 SOAP Message Security
Security in SOAP Not described in core specification SOAP does not address security; SOAP 1.1 states, How can SOAP be made secure? Rely on transport security? - HTTP Authentication - SSL for privacy and integrity - Not message-based, end-to-end security hops in transport (i.e. intermediary) expose the message Add your own security? - Required authentication sent as part of SOAP Body - Implement proprietary elements in SOAP Header - Not interoperable and hard to maintain 29
Deployment Architecture : No Security Application Server Application Container WS Client SOAP/HTTP H T T P SOAP Runtime W S D L Web Service Business Logic Firewall All requests allowed access to web service - no authentication or authorization - no message protection (no privacy or integrity) 30
Deployment Architecture : Transport Security Authenticate SSL Client Protected Application Server Application Container SOAP/HTTPS Client Application Firewall Edge Server SOAP/HTTPS Firewall H T T P SOAP Runtime W S D L Web Service Business Logic SSL provides - authentication of SSL partners (client & server) - message privacy/integrity across network Concerns - Are network gaps secure enough for desired level of trust? - Is original user secure across SOAP processing nodes (e.g., gateways) Authenticate SSL Client 31
Message-based Security : End-to-End Security Connection Integrity/Privacy HTTP? SOAP Message Connection Integrity/Privacy HTTP Message-based security does not rely on secure transport - message itself is encrypted message privacy - message itself is signed message integrity - message contains identity proof of origin 32
WS-Security : SOAP Message Security WS-Security : SOAP Message Security - defines a standard set of SOAP extensions that can be used when building secure Web services to implement integrity and confidentiality. Allows: - sending Security Tokens to authenticate requests - signing Data to ensure data integrity and verify sender - encrypting Data to ensure privacy of data Goal: - End-to-end message content security 33
Web Services Standards Work To Date Additional Capabilities Business Process Orchestration Management Composition/Orchestration Portals Composable Service Elements WS-Security Reliable Messaging Transactionality Messaging Description Invocation Transports Endpoint Identification, Publish/Subscribe XML Schema, WSDL, UDDI, SOAP with Attachments XML, SOAP HTTP, HTTPS, SMTP, Others 34
Web Services and SOA Security http://www.ibm.com/developerworks/webservices/library/specification/ws-secmap Business Process Execution Language Business Processes WS-Coordination WS-Transactions WS-Security WS-Reliable Messaging Quality of Service OASIS Secure exchange TC WSDL WS-Policy UDDI Description and Discovery SOAP, SOAP Attachments XML, XML Infoset Transports Other protocols Other services Messaging and Encoding WS-Secure Conversation Transport WS-Security Policy WS-Federation WS-Trust WS-Authorization WS-Privacy OASIS 1.0 WS-Security (framework) SAML Kerberos profile X.509 profile REL profile Liberty Mobile profile Username profile SAML profile 35
SOAP Message Security: Extensions to Header Envelope Security Element Header Security Element Body <application data> Security Token Signature Encrypted Data SOAP Header allows for extensions OASIS standard WS-Security: SOAP Message Security - defines XML for Tokens, Signatures and Encryption - defines how these elements are included in SOAP Header 36
SOAP Message Security : Elements Security Tokens claims about the message originator - Username Token Username Username & Password (Plaintext or Digest) - Binary Token X.509 Certificates, Kerberos Tokens - XML Tokens SAML Token - User Defined Tokens Signature: across all or part of the SOAP message - SOAP Body, Security Token or both - Signature of Token proves authenticity and integrity of claims - Signature of both Body & Token binds together the Body and Token Encrypted Data: all or part of the SOAP message - Provides confidentiality on all/parts of a message 37
SOAP Message Security : Example of Header Elements <S:Envelope xmlns:s= "http://schemas.xmlsoap.org/soap/envelope/"> <S:Header> <wsse: Security> <wsse:usernametoken> <wsse:username>user123</wsse:username> <wsse:password>ilovedogs</wsse:password> </wsse:usernametoken> <ds:signature>...</ds:signature> </wsse: Security > </S:Header> <S:Body> <m:getstockquote xmlns:m="http://quote.org/quote"> <Symbol>IBM</Symbol> </m:getstockquote> </S:Body> </S:Envelope> 38
SOAP Message Security: What are Security Tokens? Examples include - Username token - X509 Certificate - Kerberos ticket - SAML assertion Represent claims about - Identity - Attributes - Privileges 39
SOAP Message Security : Security Tokens - Username UsernameToken - carries User Id in the message Example - using only <Username> <wsse:security> <wsse:usernametoken> <wsse:username>user123</wsse:username> </wsse:usernametoken> </wsse:security> UsernameToken may also contain a password - several choices for format see next two slides. 40
SOAP Message Security : UsernameToken with Password Username <wsse:usernametoken and plain text password wsu:id="..."> <wsse:username>user123</wsse:username <wsse:password Type="wsse:PasswordText"> ILoveDogs </wsse:password> </wsse:usernametoken> 41
SOAP Message Security : UsernameToken with Password Digest <wsse:usernametoken wsu:id="..."> <wsse:username>user123</wsse:username Username and Digest (hashed) password) <wsse:password Type="wsse:PasswordDigest"> Ub%l3i+bbwDiT91C;[L Skfj8d8fgn </wsse:password> <wsse:nonce>wscqanjceac4mqobe07saq==</wsse:nonce> <wsu:created>2003-07-16t01:24:32z</wsu:created> </wsse:usernametoken> Nonce is a random value (optional element) - each new UsernameToken requires new Nonce - Password + Nonce used in Digest calculation - prevents re-play attacks 42
SOAP Message Security : Security Tokens Binary Tokens BinarySecurityToken - non-xml token types Example: X.509 Certificate <wsse:binarysecuritytoken wsu:id= ValueType= wsse:x509v3 EncodingType="wsse:Base64Binary"> Base 64 encoded X.509 Certificate </wsse:binarysecuritytoken> Example: Kerberos ticket <wsse:binarysecuritytoken wsu:id= ValueType="wsse:Kerberosv5ST EncodingType="wsse:Base64Binary"> Base 64 encoded Kerberos token </wsse:binarysecuritytoken> 43
SOAP Message Security : Security Tokens Arbitrary XML Tokens <SecurityTokenReference> element - used to include XML structure as a Security Token example: SAML token, Liberty token - usually points to XML either internal or external to message <wsse:security> <saml:assertion AssertionID= Assertion ID > Assertion </saml:assertion> <wsse:securitytokenreference <wsse:keyidentifier ValueType= saml:assertion Assertion ID </wsse:keyidentifier> </wsse:securitytokenreference> 44
SOAP Message Security : Security Tokens Arbitrary XML Tokens <SecurityTokenReference> allows for external token - Somewhere else in the current document, or - Outside the current document retrievable via a given URI <wsse:securitytokenreference wsu:id= STR1 > <saml:authoritybinding> Binding= SOAP-binding AuthorityKind= samlp:assertionidreference Location= http://somewhere.dns.name/saml-authority </saml:authoritybinding> <wsse:keyidentifier wsu:id= KEY1 ValueType=.#SAMLAssertionID > Assertion ID </wsse:keyidentifier> </wsse:securitytokenreference> 45
XML Digital Signature : Overview <ds:signature> Some XML Data Some XML Data <Reference> URI Digest of Data dc7yttxn <Reference> URI Digest of Data &6%45T8u <SignedInfo> <KeyInfo> X.509 Certificate <SignatureValue> 7F5*$%KSXCg2 <SignedInfo> structure is the data that is signed - includes Digests of one or more XML elements - result of signature is <SignatureValue> 46
SOAP Message Security: Signature of Body Envelope Header Security Signature Body Reference to data covered by signature <application data> 47
Signing a SOAP message X.509 security token generation Digitally sign message with private key of Client certificate Validate message request with public key of Client certificate 2 Browser 1 Client Service requester Server Service provider HTTP A P P Request Response SOAP/HTTP Request Response A P P 4 3 Validate message response with public key of Server certificate <wsse:security> <wsse:binarysecuritytoken>...eg+9iksop0qijaghfty.\ 2"fhYHSgtDu... (X.509 certificate) </wsse:binarysecuritytoken> </wsse:security> Digitally sign message response with private key of Server certificate 48
Signed SOAP request message <soapenv:envelope> <soapenv:header> <wsse:security S:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:binarysecuritytoken EncodingType="wsse:Base64Binary"> MIIDQTCC4ZzO7tIgerPlaid1q... [truncated] </wsse:binarysecuritytoken> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">...signature data... </ds:signature> </wsse:security> </soapenv:header> <soapenv:body> <p635:ca_request_id>01ordr</p635:ca_request_id> <p635:ca_return_code>0</p635:ca_return_code> [truncated] </soapenv:body> </soapenv:envelope> X.509 cert Signature SOAP body 49
Encrypting a SOAP message Encrypt message with random secret key Encrypt secret key with public key of Server certificate Browser HTTP 1 Service requester A P P Client Request Response SOAP/HTTP Request Response Decrypt secret key with private key of Server certificate Decrypt message with secret key 2 Server Service provider A P P 4 3 Decrypt secret key with private key of Client certificate Decrypt message response with secret key <soapenv:body> <EncryptedData xmlns="..." Id="wssecurity_encryption_id_xxxx" Type="http://www.w3.org/2001/04/xmlenc#Content"> <EncryptionMethod Algorithm="..."></EncryptionMethod> <CipherData> <CipherValue>6LPA6MFTI5dc2xtnjiiJ...</CipherValue> </CipherData> </EncryptedData> </soapenv:body> Encrypt message response with random secret key Encrypt secret key with public key of Client certificate 50
Encrypted SOAP request message <soapenv:envelope> <soapenv:header> <wsse:security S:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:keyname>cn=cicscert, T=Ciwss3c1-cert, OU=PSSC, O=ITSO, L=ENDICOTT, ST=NEW YORK, C=US </ds:keyname> </ds:keyinfo> <CipherData> <CipherValue>rN8nTy+IlIPN/g4 [truncated] </CipherValue> </CipherData> </EncryptedKey> </wsse:security> </soapenv:header> <soapenv:body> <EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <CipherData> <CipherValue>y3FFMZ4ckOZjfpydskgrNHQP9Pr [truncated] </CipherValue> </CipherData> </EncryptedData> </soapenv:body> </soapenv:envelope> Key info Encrypted Secret key Encrypted Data 51
TH e-gif มาตรฐานด านเทคน ค เพ อการปฏ บ ต การร วมทางอ เล กทรอน กส 1.หมวดการเช อมโยง 2.หมวดการแลกเปล ยนข อม ล - XML, XML Schema, SOAP, WSDL, UDDI, XSL 3.หมวดร ปแบบการจ ดเก บข อม ลและน าเสนอข อม ล 4.หมวดความม นคงปลอดภ ยของข อม ลและระบบข อม ล - การเข ารห ส, XML Signature, XML Encryption, WS-Security 5.หมวดอ นๆ 52
Agenda SOA and Web Services Security - Overview SOA and Web Services Security Standards SOA and Web Services Security Architecture SOA and Web Services Security Tools and Solutions 53
Point-to-Point versus End-to-End Security SSL/TLS offers several security features including authentication, data integrity, and data confidentiality but only for individual hops. Security Context Security Context Requestor Intermediary Web Service What is needed in a comprehensive Web Service security architecture is a mechanism that provides end-to-end security and greater functionality. Security Context Requestor Intermediary Web Service 54
Web Service Security 2a. Query Service 2b. Returns the Service Contract Public UDDI 1. Publish Service 3a. Invokes Service per Contract Internet 3b. Request Reaches Web Server XML Firewall 3c. Request Reaches Service Provider Service Consumer 3. Invoke Service Provider 55
Web Service Security (Continued) 2a. Query Service 2b. Returns the Service Contract Public UDDI 1. Publish Service 3a. Invokes Service per Contract Internet 3b. Request Reaches Web Server XML Firewall 3c. Request Reaches Service Provider Service Consumer Request Body Signed with Service Consumer Private Key Encrypted with Service Provider s Public Key Includes Service Consumer s X.509 Certificate Web Service Response Signed with Service Provider Private Key Encrypted with Service Consumer s Public Key Includes Service Provider s X.509 Certificate Service Provider Key Store 1. Service Consumer s Certificate 2. Root Certificate of CA Key Store 1. Service Consumer s Certificate 2. Root Certificate of CA 56
Web Services Security High Level Architecture Security Token Generation Digital Signature Generation Encrypt Message Decrypt Message Digital Signature Validation Security Token Validation and Setup Security Context Client AppServer Request Security Handler Response SOAP Request + [ WS Security Headers Transport Headers ] Request Security Handler Response EJB or Java Bean Configuration Deployment Descriptor and Service Bindings Decrypt Message Digital Signature Validation Digital Signature Generation Encrypt Message Configuration Deployment Descriptor and Service Bindings 57
Agenda SOA and Web Services Security - Overview SOA and Web Services Security Standards SOA and Web Services Security Architecture SOA and Web Services Security Tools and Solutions 58
Challenges with XML & Web Services Statement of Problem/Pain XML is the foundation of SOA, but brings new challenges: Scalability: XML is bandwidth, CPU, and memory intensive Performance: some XML apps literally grind to a halt Security: connecting systems never before connected Security: clear text over HTTP with no inherent security Integration: connecting Web services to legacy applications Standards are still in flux Businesses want to move to standardsbased XML but XML is bulky which can cause performance bottlenecks. SOA Businesses want to deploy secure XMLbased applications but security adds further bulk to the application that slows it down. 59
Web Service Security is XML Processing Performance is key to security Parsing Schema Validation XPath Filtering Processing Steps XML Decryption Signature Verification Parsing Schema Validation XML Transformation XML Signing XML Encryption 1 3 5 8 8 1 3 10 6 8 Each security function requires XML processing Must implement all services without any compromise Need ability to scale as content and user base grows 60
DataPower is Much More than Acceleration Software An SOA Appliance Creating customer value through extreme SOA performance and security Skills & Support Simplifies SOA with specialized devices Accelerates SOA with faster XML throughput Helps secure SOA XML implementations WebSphere DataPower SOA Appliances redefine the boundaries of middleware extending the SOA Foundation with specialized, consumable, dedicated SOA appliances that combine superior performance and hardened security for SOA implementations. 61
Web Service Security is XML Processing Performance is key to security Parsing Schema Validation XPath Filtering Time Processing Steps XML Decryption Signature Verification Parsing Schema Validation XML Transformation XML Signing XML Encryption 1 3 5 8 8 1 3 10 6 8 Software only Software w/ DataPower* Crypto Acceleration Each security function requires XML processing Must implement all services without any compromise Need ability to scale as content and user base grows 62 * For demonstration only. Actual processing time varies depending on application.
Advantages of an Appliance vs. Software Only Solution WebSphere DataPower Appliance Software Stack on a Typical Server Configuration Config Config Config Config Proprietary Software Apache Tomcat MySQL Firmware Libxml glibc Java Linux OS Config Linux Daemon Config XML Acceleration Crypto Acceleration Hardware Floppy CD Rom USB Port Disk Hardware Optimized hardware, firmware, embedded OS Significantly less moving parts, no complicated software stack Security vulnerabilities eliminated (e.g. no open source, Trojan horses, Java/C++ libraries) No drives/usb ports, tamper-proof case, lock-down configuration Much higher performance, easier to configure, more secure, and cheaper to maintain 63
Simple Appliance Configuration for Complex Functionality Fits into your existing environment Address broad organizational needs (Architects, Developers, Network Operations, Security) Complete Configuration from GUI or CLI interface IDE integration/eclipse plug-in XPath / XML config files SNMP SOAP management interface 65
SOA Appliances Centralize and Simplify Key Functions Route, transform, and help secure multiple applications without code changes. Lower cost and complexity. Enable new business with unmatched performance. Before SOA Appliance Update application servers individually Security Processing Routing Web services management Transformation New XML standard Access control update Schema validation After SOA Appliances Secure, route, transform for all applications readily No changes to applications 66
WebSphere DataPower SOA Appliance Product Line XM70 High volume, low latency messaging Enhanced QoS and performance Simplified, configuration-driven approach to LLM Publish/subscribe messaging High Availability XB60 B2B Messaging (AS2/AS3) Trading Partner Profile Management B2B Transaction Viewer Unparalleled performance Simplified management and configuration XI50 Hardware ESB Any-to-Any conversion at wire-speed Bridges multiple protocols Integrated message-level security XA35 Offload XML processing No more hand-optimizing XML Lowers development costs XS40 Enhanced Security Capabilities Centralized Policy Enforcement Fine-grained authorization Rich authentication 67
Standards
DataPower and the Standards OASIS: Web Services Security (WSS) TC Web Services Distributed Management (WSDM) Security Services (SAML) XACML Reliable Exchange, Web Services Transactions XSLT/XPATH Conformance Digital Signature Services ebxml Messaging TC WS-I: Basic Security Profile Working Group MC Committee SOAP with Attachments Working Group W3C: XML Protocol WG for SOAP XML Binary WS Addressing XML Key Management Services (XKMS) WG XML Encryption WG XML-DSig WG OMG (Object Management Group): CORBA Security specification ACORD Joint Architecture Group [Framework][Security]
Security Features
Security: Top Concern for SOA XML Web services easily expose backend systems to customers, partners Traditional security devices do not secure XML/SOAP Solution: Multiple level of defense First Level: XML Security Gateway for enhanced security, scalability, and simplicity Second level: Application server for additional processing
Gartner: Web Services Security Best Practices Provide System Security Inspect ALL traffic Transform all messages Mask internal resources Implement XML filtering Secure logging Protect against XML DoS Require good authentication mechanisms Provide Message Security Sign all messages Validate messages (Inbound+Outbound) Time-stamp all messages Ask for Compatibility SSL, SAML, x.509. WS-Security WS-* extensions Build Expertise/Design From Strength Educate Business Leaders Build Centralized Infrastructure SSL is key Use management/security platforms Manage your identities You may need PKI Trust (Really) Your Partners Monitor and Control Therefore, enterprises should investigate tools such as security gateways, SSL concentrators and accelerators, and wire-speed SOAP/XML inspection hardware. -- John Pescatore, Gartner
XS40 XML Security Gateway Purpose-Built for SOA Security XML/SOAP Firewall - Filter on any content, metadata or network variables Data Validation - Approve incoming and outgoing XML and SOAP with minimal latency. Message and Field Level Security - WS-Security: Encryption, decryption, digital signatures, etc. XML Web Services Access Control/AAA - SAML, LDAP, RADIUS, etc. Web Services Management - Service Level Management, Service Virtualization, Policy Management Content-based Message Routing Web Application Firewall Capabilities - Security proxy, threat mediation & content processing services for HTTP-based web applications. 73
XML and SOAP Firewall Highly Configurable Request and Response Filtering - IP-layer parameter filtering (client IP address, etc.) - SSL parameter filtering (client certificate, etc.) - HTTP header filtering - XPath filtering of any part of SOAP envelope or XML payload - Filtering by Service, URL, etc. Easy point and click XPath Filtering 74
XML Threats XML Entity Expansion and Recursion Attacks XML Document Size Attacks XML Document Width Attacks XML Document Depth Attacks XML Denial of Service (xdos) XML Wellformedness-based Parser Attacks Jumbo Payloads Recursive Elements MegaTags aka Jumbo Tag Names Public Key DoS XML Flood Resource Hijack Dictionary Attack Message Tampering Falsified Message Data Tampering Message Snooping XPath Injection SQL Injection WSDL Enumeration Routing Detour Schema Poisoning Malicious Morphing Malicious Include also called XML External Entity (XXE) Attack Memory Space Breach XML Encapsulation XML Virus Replay Attack 75
XML Threat Scenario (Mis)use-case: XML Denial Of Service (xdos) Heap Dump Hacker Structural XML exploits. E.g. XML Entity Recursion ( Billion Laughs ) SOAP passes through firewalls, DMZ Result: High CPU utilization: 100% by App Server process Out-of-Memory Error in App Server logs Service outage & heap dump Application Server http://172.16.88.160:8081 /TomcatBank/services/BankBean 76
XML Structural Exploit: Billion Laughs <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE getcustomerfullname[ <!ELEMENT billion (#PCDATA)> <!ENTITY laugh0 "ha"> <!ENTITY laugh1 "&laugh0;&laugh0;"> <!ENTITY laugh2 "&laugh1;&laugh1;"> <!ENTITY laugh3 "&laugh2;&laugh2;">... and so on... <!ENTITY laugh127 "&laugh126;&laugh126;"> ]> <SOAP-ENV:Envelope> <SOAP-ENV:Body> <getcustomerfullname> <customerid xsi:type="xsd:string">111-11-1111</customerid> <billion>&laugh127;</billion> </getcustomerfullname> </SOAP-ENV:Body> </SOAP-ENV:Envelope> 77
XML Threat Solution: xdos Protection Hacker XML Attacks are stopped & logged Protects any App Server hosting Web Services Non-invasive, Drop-in solution Existing Apps: minimal changes required New Apps: reusable QoS XML Security Appliance http://datapower.demo.com:2001/tomcatbank Web Service http://172.16.88.170:8081 /TomcatBank/services/BankBean 78
Access Control Integration Framework (AAA) Authenticate, Authorize, Audit Input Message Transport Headers URL SOAP Method XPath Extract Resource WS-Security SAML X.509 Kerberos Proprietary Tokens LDAP ActiveDirectory SAML Tivoli CA etrust/netegrity RSA Entrust Novell RACF Map Resource LDAP ActiveDirectory SAML Tivoli CA etrust/netegrity RSA Entrust Novell Proprietary Authorize SAML Assertion Credential Mediation IDS Integration Monitoring Audit & Accounting Output Message Extract Identity Authenticate Map Credentials External Access Control Server or Onboard Identity Management Store 79
WebSphere DataPower Appliance Deployment Scenarios federated extranet Internet intranet Demilitarized Zone Internet user Demilitarized Zone internal user SOA platform Packet Filter Packet Filter Packet Filter Packet Filter XS40 3. Internal security SOAP enabled enterprise application XS40 Internet XS40 1. Helps protect against incoming attacks; Incoming access control SOAP enabled enterprise application 2. Outgoing access control, SAML injection, role mappings 81
Screen Shots
83 Configuration Driven, NO Programming
Example: Build Web Service Proxy with AAA 84
Add a AAA Security Action 85
Choose Authentication Method 86
DataPower Flash Demo Click Click Icon Icon to to Activate Demo XML Firewall Demo 87
Why DataPower? Performance Scenario : WSBench with Web Services Security Windows 2003, 2x3.2Ghz HyperThreaded, 2G mem, 512 cache Datapower, firmware version 3.5.0.6, 9002-XS40-03[Rev 04] 700 600 579 throughput (req/sec) 500 400 300 200 100 0 433 411 330 117 90 63 53 61 8 1in1out 1in10out 10in1out 10in10out 100in100out Datapower WAS 6.0.2 91 Security (risk of operational loss) XML threats Management of web services framework (risk of operational loss, risk of customer satisfaction) SLAs Monitoring Governance
92