Secure and Reliable Web Services GuyGuy CretsCrets IntegrationIntegration ConsultantConsultant ApogadoApogado OverallOverall PresentationPresentation GoalGoal
WebWeb ServicesServices asas basisbasis forfor realreal -- lifelife Integration,Integration, basedbased onon WSWS --SecuritySecurity andand WSWS --ReliableMessagingReliableMessaging
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” SpeakerSpeaker ’’ss QualificationsQualifications
ITIT ConsultantConsultant sincesince 19871987 ManagingManaging PartnerPartner atat ApogadoApogado DoingDoing integrationintegration forfor thethe lastlast 99 years:years: fromfrom screenscreen --scrapingscraping andand JMSJMS toto SAPSAP NetweaverNetweaver SpeaksSpeaks frequentlyfrequently onon EAI,EAI, ESBESB andand WSWS --** GuestGuest lecturerlecturer atat UAMSUAMS JavaPolisJavaPolis SteeringSteering MemberMember
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WaitingWaiting forfor WSWS --** ……
WSWS --SecuritySecurity ++ WSWS --ReliableMessagingReliableMessaging ++……
WebWeb ServicesServices cancan provideprovide oneone singlesingle standardstandard forfor securesecure andand reliablereliable communication.communication. ButBut afterafter 66 years,years, itit ’’ss timetime toto nailnail thingsthings down.down.
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WebWeb ServicesServices -- SOAPSOAP
XMLXML overover HTTPHTTP Envelop:Envelop: HeaderHeader andand bodybody
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WebWeb ServicesServices
SOAPSOAP specspec datesdates backback fromfrom JulyJuly 20002000 !! WSDL:WSDL: descriptiondescription ofof webweb servicesservices UDDI:UDDI: discoverydiscovery ofof webweb servicesservices FocusFocus onon synchronoussynchronous request/replyrequest/reply XMLXML overover HTTPHTTP withoutwithout SOAPSOAP REST B2B protocols LimitedLimited standardizationstandardization ofof standardstandard messagesmessages Some use of B2B XML standards E.g. WSDLs from Open Applications Group
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS (draft)(draft) standardsstandards Metadata MessagingMessaging XML WSDL 1.1 , 2.0 SOAP 1.1 , 1.2 XML XML WS -Policy WS Referral Namespaces WS -PolicyAssertions WS Routing Information Set WS -PolicyAttachment WS -Addressing WS -Discovery WS -MessageData Messaging (2) WS -MetadataExchange WS -Enumeration WS -Notification WS -RM Policy WS -BaseNotification WS -Eventing UDDI 1.0, 2.0, 3.0 WS -BrokeredNotification WS Inspection Language SOAP -over -UDP SOAP -over -UDP WS -ReliableMessaging Attachments WS -Reliabiltiy SwA SOAP with ASAP Attachments WS -MessageDelivery DIME / WS -Attachments WS -Acknowledgement MTOM (XOP) WS -Callback www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” MoreMore WSWS --** standards...standards... Security Business Process WS -Security: SOAP Message Security XLANG WS -Security: UsernameToken Profile WSFL WS -Security: X.509 Certificate Token WS -BPEL (BPEL4WS) Profile WS -Choreography WS -Security: SAML Profile WS -CDL WS -SecureConversation WSCL (HP) WS -SecurityPolicy WSCI WS -Trust WS -Federation Management WS -Federation Active Requestor Profile WS -Management WS -Federation Passive Requestor Profile WS -Management Catalog WS -Security: Kerberos Binding WS -DM Web Single Sign -On Interoperability WS -MUWS part 1 Profile WS -MUWS part 2 Web Single Sign -On Metadata Exchange WS -MOWS Protocol WS -Manageability www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” AndAnd moremore ......
Transactions State / Context WS -Coordination WS -Transfer WS -AtomicTransaction WS -Resource WS -BusinessActivity WS -ResourceProperties More security WS -T(X)M WS -ResourceLifetime XML Signing BTP WS -ServiceGroup XML Encryption WS -BaseFaults SAML Miscellaneous WS -CAF X-KMS WS -Remote Portlets X-KISS WS -Context X-KISS WS -Provisioning X-KRSS WS -CF XACML “The Web Services Standards Mess” (Eric Newcomer, Iona)
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” TheThe WSWS --** mixmix
SOAPSOAP 1.11.1 SOAPSOAP 1.21.2 WSDLWSDL 1.11.1 WSDLWSDL 2.02.0 WSWS --AddressingAddressing WSWS --ReliableMessagingReliableMessaging WSWS --SecuritySecurity UDDIUDDI WSWS --MetaDataExchangeMetaDataExchange SOAPSOAP withwith AttachmentsAttachments MTOM/XOPMTOM/XOP ......
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --AddressingAddressing
WebWeb serviceservice EndpointEndpoint ReferencesReferences MessageMessage InformationInformation HeadersHeaders wsawsa ::MessageIDMessageID ,, wsawsa ::RelatesToRelatesTo wsa:Actionwsa:Action wsawsa :To,:To, wsawsa :From,:From, wsawsa ::ReplyToReplyTo ,, wsawsa ::FaultToFaultTo
From To
Reply To www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” ReliableReliable MessagingMessaging overover HTTPHTTP Message A X
Message A
Server Acknowledge A Server
Message B X Acknowledge B
Kill Duplicate B Message B Acknowledge B A B A B
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --RMRM protocolprotocol
CreateSequence
MessageNumber 1 RM Destination RM Source MessageNumber 2 X
MessageNumber = 3, LastMessage
Acknowledge 1-3, Nack 2 Resend 2, AckRequested
Acknowledge 2
TerminateSequence
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” ReliableReliable SessionsSessions oror QueuedQueued Messaging?Messaging? WSWS --RMRM sayssays nothingnothing aboutabout durabilitydurability PersistentPersistent vs.vs. TransientTransient sequencessequences PersistentPersistent sequencesequence survivesurvive rere --starts,starts, crashes,crashes, ...... MicrosoftMicrosoft WCFWCF (Indigo)(Indigo) QueuedQueued Messaging:Messaging: useuse MSMQMSMQ MaybeMaybe queuedqueued MessagingMessaging basedbased onon WSWS --RMRM inin WCFWCF 1.11.1 ??
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --RMRM -- ImpactImpact
WSWS --RMRM willwill havehave MAJORMAJOR impact impact !!!!!! ProductsProducts fromfrom differentdifferent vendorsvendors atat eacheach sideside ~~ B2BB2B MessagingMessaging becomesbecomes aa commoditycommodity JMS System.Messaging
WS-RM
JMS Provider A .NET RequiresRequires QueuedQueued MessagingMessaging
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” SOAPSOAP overover ee --mailmail ??
DDescribedescribed (non(non --normative)normative) SMTPSMTP isis quitequite reliablereliable BasicBasic API'sAPI's availableavailable WWellell --knownknown adad ddressingressing schemescheme LimitedLimited supportsupport CapeCCapeC learlear ,, ApacheApache SO AP o ver F TP? www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --SecuritySecurity
OASISOASIS standard(s)standard(s) Authentication,Authentication, Integrity,Integrity, PrivacyPrivacy ProfilesProfiles X509X509 ,, UserNameUserName ,, KerberosKerberos ,, SAMLSAML ,, ...... StableStable CompatibleCompatible implementationsimplementations BuildsBuilds onon W3CW3C XMLXML SignatureSignature andand XMLXML EncryptionEncryption
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --SecuritySecurity Username Profile 1.0 ClearClear --texttext passwordpassword
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --SecuritySecurity Username Profile 1.0 UserName Toke Profile 1.1
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --SecuritySecurity -- SigningSigning
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” CanonicalizationCanonicalization
C14NC14N CanonicalizationNCanonicalizationN ((‘‘CC’’+14+14 charschars ++ ’’NN’’)) ““StandardizeStandardize ”” thethe XMLXML documentdocument Standard encoding (UTF -8) Line breaks: # xA (new line) Attributes: normalize white space single quotes double quotes quotes wihtin quotes " ; Remove XML and DTD declarations Empty:
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” CanonicalizationCanonicalization
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” StepStep byby stepstep
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” SignSign thethe hashhash ofof thethe hasheshashes
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” XMLXML SecuritySecurity -- SignatureSignature
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” XMLXML SecuritySecurity -- SignatureSignature
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” XMLXML SecuritySecurity -- TimestampsTimestamps
AdditionAddition toto XMLXML SignatureSignature wsuwsu WWebeb SServiceservices UUtilitytility
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --SecuritySecurity developmentsdevelopments
SAMLSAML TokenToken ProfileProfile SecuritySecurity RoadmapRoadmap WSWS --TrustTrust InfoCardInfoCard RealReal world,world, securesecure webweb service:service: PaypalPaypal SecuritySecurity inin HardwareHardware
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” SAMLSAML
TheThe SSecurityecurity AAssertionsssertions MMarkuparkup LLanguageanguage isis anan XMLXML --basedbased frameworkframework forfor WebWeb servicesservices thatthat enablesenables thethe exchangeexchange ofof authenticationauthentication andand authorizationauthorization informationinformation amongamong businessbusiness partners.partners. PrePre --datesdates WSWS --** UseUse --cases:cases: SingleSingle SignSign --On,On, AuthorizationAuthorization Service,Service, BackBack --officeoffice transactiontransaction OASISOASIS includedincluded SAMLSAML inin WSWS --SecuritySecurity StrongStrong focusfocus onon SingleSingle SignSign --OnOn fromfrom browserbrowser
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” SAML Attribute SAML Authorization TrustedTrusted Authentication 33rd PartyParty SAML Assertion Request Authority
Assertion Client Response Server “Subject” +Assertion
Protocol:Protocol: HTTP,HTTP, SMTP,SMTP, SOAPSOAP ,, JMS,JMS, ebXMLebXML ,, ……
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” SAMLSAML AssertionAssertion
WS-Secure WS- WS-Federation Conversation Authorization
WS-Policy WS-Trust WS-Privacy
WS-Security
SOAP Foundation
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --TrustTrust
Claim Security IssuanceIssuance Client Token Service ~~ SAMLSAML AuthenticationAuthentication Token
Token Security ValidationValidation Client Token Service Decision
ExchangeExchange Token Security ConvertConvert X509X509 oror SAMLSAML Client Token Service toto KerberosKerberos Token
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --TrustTrust
PolicyPolicy PolicyPolicy
STS “Trust” STS
Issue WS -Trust WS -Trust Validate Token Token Exchange Exchange Client Server WS -Security with Token
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” MicrosoftMicrosoft InfoCardInfoCard
WSWS --MEXMEX WSWS --SecuritySecurity UsersUsers selectsselects PolicyPolicy ““identityidentity ””
WSWS --TrustTrust e.g.e.g. SAMLSAML
WSWS --SecuritySecurity
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” SpecializedSpecialized WSWS SecuritySecurity productsproducts && vendorsvendors AgentsAgents // PEPPEP Features Enforce policies (PEP) Proxies or plugged into Sign, validate WS -Stack Encrypt/decrypt Overlap between Support WS -Security, SAML, … Access Control - Integrate with tools/products for Securing LDAP and Identity Mgt. Solutions & Managing web services Data validation: against WSDL WS -Policy support against schema ’s (Reverse) Proxy Detect Denial -Of -Service Audit trail Route message
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS stackstack
Client Server
XSLT XQuery Security Security ... … Routing SOAP Routing WS-Manag. WS-Manag. Security Security
......
WS-Manag. WS-Manag.
ServiceService ““mediationmediation ”” www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” RealReal WebWeb ServicesServices SecuritySecurity
Salesforce.comSalesforce.com Userid & password (no WS -Security) Returns session -id and new server URL e.g. https:// na1 -api .salesforce.com/services/Soap/c/7.0 AmazonAmazon S3S3 Signature: RFC 2104 HMAC -SHA1 of "AmazonS3 “+ OPERATION + Timestamp e.g. AmazonS3CreateBucket2005 -01 -31T23:59:59.183Z PayPalPayPal PaypalUses HTTPS with client certificate or “Signature ”
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ”
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WS/XMLWS/XML firewallsfirewalls
Sarvega'sSarvega's XPEXPE 20002000 ForumForum Systems'Systems' XWallXWall DataPower'sDataPower's XS40XS40 XMLXML SecuritySecurity GatewayGateway (IBM)(IBM)
WestbridgeWestbridge Technology'sTechnology's XMLXML MessageMessage ServerServer Vordel'sVordel's VordelSecureVordelSecure Reactivity'sReactivity's ReactivityReactivity XMLXML FirewallFirewall DigitalDigital EvolutionEvolution CISCOCISCO AONAON
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” EAIEAI –– WSWS –– B2BB2B
B2B WS Used for request/reply EDIINT (RPC) within organizations AS2 Communication EDI VAN “Bus” Value Added Firewall Network Messaging used for both Transaction request/reply (RPC) and Delivery Network asynchronous communication EAI www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” EAI:EAI: EnterpriseEnterprise ServiceService BusBus
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” EnterpriseEnterprise ServiceService BusBus
Communication Bus Eg JMS
Design & Routing Monitoring configuration XPath
Process Transform Adapter Engine XSLT JCA BPEL4WS
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” B2BB2B -- ExternalExternal connectivityconnectivity
EDIEDI VANVAN RosettaNet – CIDX – PIDX ebXML EDIINT AS1/AS2/AS3 BizTalk Framework 2.0 FTP, FTPS (over SSL), SFTP (SSH), …
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” B2BB2B
AlmostAlmost nono WebWeb ServicesServices SwA: BizTalk Framework and ebXML XML over HTTP, FTP, ... EDIINT: can carry XML, but mostly EDIFACT & X12 AcknowledgementsAcknowledgements EDIINT: Message Disposition Notification SecuritySecurity SSL of course RosettaNet & EDIINT: S/MIME and PKCS7 ebXML: XML Signing (pre -dates WS -Security)
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” RecommendedRecommended ReadingReading
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” RecommendedRecommended ReadingReading
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” soapUIsoapUI
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” ConclusionsConclusions
WSWS --standardsstandards areare ““settlingsettling ”” WSWS --SecuritySecurity ++ WSWS --RMRM ++ WSWS --AddressingAddressing MoreMore patiencepatience (why(why doesdoes itit taketake soso long?)long?) LessonsLessons fromfrom previousprevious technologies,technologies, e.g.e.g. EDIEDI WSDLWSDL first,first, knowknow youryour XMLXML (Schema(Schema ’’s)s) MakeMake youryour webweb serviceservice securesecure AndAnd ““AsynchronousAsynchronous ”” EAI/ESBEAI/ESB asas ““steppingstepping stonestone ””
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” Q&AQ&A
Guy Crets [email protected] +32.(0)479.27.36.58 Apogado CVBA www.apogado.com www.integrationengineers.com
www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ”