Enterprise SOA Security

Web-Services Enterprise QOS
Introduction

• WS-* Specifications (Generic specs)
• WS-Policy
• WS-Addressing
• WS-Routing
• Interoperability (WSIT) & WS-* Specifications for Security, Reliability, Transaction
• WS-I
• WSIT (Project Tango) Overview
• Web Services Transaction

Security Basics

• Common Security Threats
• Identity Interception
• Replay Attack
• Data Interception and manipulation
• Repudiation
• Denial Of Service
• Network Security Needs
• Authentication
• Access Control
• Data Confidentiality
• Data Integrity
• Non Repudiation
• Auditing

Codifying security policies

• Introducing declarative security
• Policy consolidation for planning and consistent enforcement
• Use at design time to ensure interoperability
• Use at runtime to ensure interoperability

Canonical XML and Exclusive XML
Canonicalization

• Introduction
• Canonicalizing an XML document
• Exclusive XML Canonicalization
• Problematic Scenarios

SAML and XACML

• SAML History and Overview
• SAML 2.0 New Features
• SAML-related features in XACML
• SAML in Web Services Security
• Assertions
• Bindings
• Profiles
• Protocols

Using digital signatures

• The basics of XML signatures
• Challenges in signing XML
• XML canonicalization
• Signing SOAP messages
• Signing order creation request
• Sender-side implementation
• Receiver-side implementation
• Practical issues with signatures
• Three rules of signatures
• Mixing encryption and signatures
• Which canonicalization scheme?
• Protecting confidentiality of messages using encryption

Encryption in action

• The basics of encryption
• Types of encryption algorithms
• PKI: A framework for encryption
• Programming with digital certificates
• Creating digital certificates
• Point to point encryption with digital certificates (SSL/TLS)
• Java APIs for encryption
• Encrypting SOAP messages
• Sending user credentials with selective encryption
• Encrypting-side implementation
• Decrypting-side implementation
• Practical issues with encryption

Extending SOAP for security

• Finding the right approach for security in SOAP
• Lessons from web authentication schemes
• Authentication at the HTTP layer
• Choices for security implementation in SOAP
• Extending SOAP with headers
• Anatomy of a SOAP header
• Standard header entry attributes
• WS-Security: The standard extension for security
• Introduction to WS-Security
• Identifying a brokerage service user
• Processing SOAP extensions using handlers
• How handlers work
• Outline of the solution
• Implementing a server-side JAX-WS handler
• Implementing a client-side JAX-WS handler
• Handler chains
• Configuring handlers and handler chains
• Processing SOAP extensions using intermediaries
• Preserving the endpoint information: WS-Addressing

SOAP processing rules for
intermediaries

• SOAP Extensions
• What should go into the headers?
• How do we standardize on headers?
• How many handlers?
• How do we support handlers? s with selective encryption

Declarative Security

• Interoperability challenges in SOA security
• Sources of incompatibility
• Solving Incompatibilities
• WS-I basic security profile

WS-Policy

• Discovering Policies
• Policy Attachment Points
• Effective Policy
• WS-MetadataExchange

WS-Security Policy

• WS-SecurityPolicy:Subjectbased Classification
• WS-SecurityPolicy: Functional Classification
• Classification of WS-SecurityPolicy
• Assertions

Security Binding or Security Patterns

• WS-Security and WS-Trust Conformance
• Supporting Token Assertions
• Security Assertion for messages
• Token Assertions(Lower level Assertions)
• "Implementation" to an "interface"

WS-Security Internals

• WSS: SOAP Message Security-Binary Security Token
• WSS: SOAP Message Security-Username Token(Default)
• WSS: SOAP Message Security-Username Token(Hashed)
• WSS: SOAP Message Security-Timestamp
• WSS: SOAP Message Security-Security Token Reference
• WSS: SOAP Message Security-Direct Reference
• WSS: SOAP Message Security-Key Identifier
• WSS: SOAP Message Security-X.509 Certificate
• WSS: SOAP Message Security-X.509 Certificate(Issuer Serial)
• WSS: SOAP Message Security-X.509 Certificate(Thumb print)
• WSS: SOAP Message Security
• wssonc:DerivedKeyToken

WS-SECURITY POLICY Internals

• Token Assertions(Lower level Assertions)-Common Properties
• Security Binding or Security Patterns
• Security Binding or Security Patterns-Properties
• Security Binding or Security Patterns-Properties(Protection Order)
• Security Binding or Security Patterns-Properties(Layout)
• Security Binding or Security Patterns-Symmetric Binding
• Security Binding(Processing Sequence)
• Security Binding or Security Patterns-Asymmetric Binding
• Security Binding(Processing Sequence)
• Security Binding or Security Patterns-Transport Binding

Supporting Token Assertions

• SupportingTokensAssertion
• SignedSupportingTokensAssertion
• EndorsingSupportingTokensAssertion
• SignedEndorsingSupportingTokensAssertion
• SignedEncryptedSupportingTokensAssertion
• EncryptedSupportingTokensAssertion
• EndorsingEncryptedSupportingTokensAssertion
• SignedEndorsingEncryptedSupportingTokensAssertion

Direct Authentication Architecture
Security As a Service

• Security As a Service-Who invokes the security service?
• Security As a Service-What is the interface for the security service?

WS-Trust

• WS-Trust:
• RequestSecurityToken:Constituens
• WS-Trust:-RequestSecurityToken:Constituens
• WS-Trust:-RequestSecurityTokenResponse:Constituents
• SAML protocol
• Conveying the findings of a security service: SAML
• SAML assertion basics
• AuthenticationStatement
• Asserting authentication results
• AttributeStatement:Asserting user attributes
• AuthorizationDecisionStatement:Asserting authorization decisions
• Security as a service-How is the security context communicated to
• the destination endpoint?

Secure Conversation

• Security as a Service-Issued Token
• Security as a Service-Issued Token(ISSUED TOKEN STEP)
• Security as a Service-Issued Token With Service Certificate
• Security as a Service-STS Issued Endorsing Token
• Security as a Service-Issued Token with SC
• Security as a Service-Brokered Trust
• Security as a Service-STS with SC

Designing SOA security for a real-world
enterprise

• Meeting the demands of enterprise IT environments
• Large and diverse user base
• Long life cycle
• Robustness
• Manageability Integration with diverse legacy applications
• Securing diverse services
• Services developed from scratch
• Services wrapping legacy applications
• Services composed of other services
• Choosing a deployment architecture
• For securing services in the intranet
• For securing services offered to the public
• For securing services offered to/by partners
• Making the solution industrial-strength
• Performance
• Scalability
• Availability
• Vulnerability management
• Common vulnerabilities
• XML-specific vulnerabilities
• Vulnerability remediation workflow

Governance and Security

• Registry and Repository
• Registry and Repository Standards
• Security and Policy Enforcement
• High Level Patterns of Security