Secure and Reliable Web Services Guyguy Cretscrets Integrationintegration Consultantconsultant Apogadoapogado Overalloverall Presentationpresentation Goalgoal

Secure and Reliable Web Services GuyGuy CretsCrets IntegrationIntegration ConsultantConsultant ApogadoApogado OverallOverall PresentationPresentation GoalGoal

WebWeb ServicesServices asas basisbasis forfor realreal -- lifelife Integration,Integration, basedbased onon WSWS --SecuritySecurity andand WSWS --ReliableMessagingReliableMessaging

ITIT ConsultantConsultant sincesince 19871987 ManagingManaging PartnerPartner atat ApogadoApogado DoingDoing integrationintegration forfor thethe lastlast 99 years:years: fromfrom screenscreen --scrapingscraping andand JMSJMS toto SAPSAP NetweaverNetweaver SpeaksSpeaks frequentlyfrequently onon EAI,EAI, ESBESB andand WSWS --** GuestGuest lecturerlecturer atat UAMSUAMS JavaPolisJavaPolis SteeringSteering MemberMember

WSWS --SecuritySecurity ++ WSWS --ReliableMessagingReliableMessaging ++……

WebWeb ServicesServices cancan provideprovide oneone singlesingle standardstandard forfor securesecure andand reliablereliable communication.communication. ButBut afterafter 66 years,years, itit ’’ss timetime toto nailnail thingsthings down.down.

XMLXML overover HTTPHTTP Envelop:Envelop: HeaderHeader andand bodybody … ... ...

SOAPSOAP specspec datesdates backback fromfrom JulyJuly 20002000 !! WSDL:WSDL: descriptiondescription ofof webweb servicesservices UDDI:UDDI: discoverydiscovery ofof webweb servicesservices FocusFocus onon synchronoussynchronous request/replyrequest/reply XMLXML overover HTTPHTTP withoutwithout SOAPSOAP REST B2B protocols LimitedLimited standardizationstandardization ofof standardstandard messagesmessages Some use of B2B XML standards E.g. WSDLs from Open Applications Group

www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS (draft)(draft) standardsstandards Metadata MessagingMessaging XML WSDL 1.1 , 2.0 SOAP 1.1 , 1.2 XML XML WS -Policy WS Referral Namespaces WS -PolicyAssertions WS Routing Information Set WS -PolicyAttachment WS -Addressing WS -Discovery WS -MessageData Messaging (2) WS -MetadataExchange WS -Enumeration WS -Notification WS -RM Policy WS -BaseNotification WS -Eventing UDDI 1.0, 2.0, 3.0 WS -BrokeredNotification WS Inspection Language SOAP -over -UDP SOAP -over -UDP WS -ReliableMessaging Attachments WS -Reliabiltiy SwA SOAP with ASAP Attachments WS -MessageDelivery DIME / WS -Attachments WS -Acknowledgement MTOM (XOP) WS -Callback www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” MoreMore WSWS --** standards...standards... Security Business Process WS -Security: SOAP Message Security XLANG WS -Security: UsernameToken Profile WSFL WS -Security: X.509 Certificate Token WS -BPEL (BPEL4WS) Profile WS -Choreography WS -Security: SAML Profile WS -CDL WS -SecureConversation WSCL (HP) WS -SecurityPolicy WSCI WS -Trust WS -Federation Management WS -Federation Active Requestor Profile WS -Management WS -Federation Passive Requestor Profile WS -Management Catalog WS -Security: Kerberos Binding WS -DM Web Single Sign -On Interoperability WS -MUWS part 1 Profile WS -MUWS part 2 Web Single Sign -On Metadata Exchange WS -MOWS Protocol WS -Manageability www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” AndAnd moremore ......

Transactions State / Context WS -Coordination WS -Transfer WS -AtomicTransaction WS -Resource WS -BusinessActivity WS -ResourceProperties More security WS -T(X)M WS -ResourceLifetime XML Signing BTP WS -ServiceGroup XML Encryption WS -BaseFaults SAML Miscellaneous WS -CAF X-KMS WS -Remote Portlets X-KISS WS -Context X-KISS WS -Provisioning X-KRSS WS -CF XACML “The Web Services Standards Mess” (Eric Newcomer, Iona)

SOAPSOAP 1.11.1 SOAPSOAP 1.21.2 WSDLWSDL 1.11.1 WSDLWSDL 2.02.0 WSWS --AddressingAddressing WSWS --ReliableMessagingReliableMessaging WSWS --SecuritySecurity UDDIUDDI WSWS --MetaDataExchangeMetaDataExchange SOAPSOAP withwith AttachmentsAttachments MTOM/XOPMTOM/XOP ......

www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --AddressingAddressing uuid :aaaabbbb -cccc -dddd -eeee -wwwwwwwwwww … http://../CreateOrder … ... ... www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --AddressingAddressing

WebWeb serviceservice EndpointEndpoint ReferencesReferences MessageMessage InformationInformation HeadersHeaders wsawsa ::MessageIDMessageID ,, wsawsa ::RelatesToRelatesTo wsa:Actionwsa:Action wsawsa :To,:To, wsawsa :From,:From, wsawsa ::ReplyToReplyTo ,, wsawsa ::FaultToFaultTo

From To

Message A

Server Acknowledge A Server

Message B X Acknowledge B

Kill Duplicate B Message B Acknowledge B A B A B

CreateSequence

MessageNumber 1 RM Destination RM Source MessageNumber 2 X

MessageNumber = 3, LastMessage

Acknowledge 1-3, Nack 2 Resend 2, AckRequested

Acknowledge 2

TerminateSequence

www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” ReliableReliable SessionsSessions oror QueuedQueued Messaging?Messaging? WSWS --RMRM sayssays nothingnothing aboutabout durabilitydurability PersistentPersistent vs.vs. TransientTransient sequencessequences PersistentPersistent sequencesequence survivesurvive rere --starts,starts, crashes,crashes, ...... MicrosoftMicrosoft WCFWCF (Indigo)(Indigo) QueuedQueued Messaging:Messaging: useuse MSMQMSMQ MaybeMaybe queuedqueued MessagingMessaging basedbased onon WSWS --RMRM inin WCFWCF 1.11.1 ??

WSWS --RMRM willwill havehave MAJORMAJOR impact impact !!!!!! ProductsProducts fromfrom differentdifferent vendorsvendors atat eacheach sideside ~~ B2BB2B MessagingMessaging becomesbecomes aa commoditycommodity JMS System.Messaging

WS-RM

JMS Provider A .NET RequiresRequires QueuedQueued MessagingMessaging

DDescribedescribed (non(non --normative)normative) SMTPSMTP isis quitequite reliablereliable BasicBasic API'sAPI's availableavailable WWellell --knownknown adad ddressingressing schemescheme LimitedLimited supportsupport CapeCCapeC learlear ,, ApacheApache SO AP o ver F TP? www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --SecuritySecurity

OASISOASIS standard(s)standard(s) Authentication,Authentication, Integrity,Integrity, PrivacyPrivacy ProfilesProfiles X509X509 ,, UserNameUserName ,, KerberosKerberos ,, SAMLSAML ,, ...... StableStable CompatibleCompatible implementationsimplementations BuildsBuilds onon W3CW3C XMLXML SignatureSignature andand XMLXML EncryptionEncryption

www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --SecuritySecurity Username Profile 1.0 UserName Toke Profile 1.1 • Derive key from password • Encryption Guy Crets• Integrity (MAC) D2A12DFE8D9F0C6BB82C89B091DF5C8A872F94DC EFD89F06CCB28C89 2005-11-20T15:01:30Z Hash(Nounce+TimeStamp+Password)

ReferencesReferences == SSignedInfo URI:URI: (CanonicalizationMethod) (SignatureMethod) External document Object to ( URI=“http://www…/…" be signed (Transforms)? Document itself (root) (DigestMethod) Document itself (root) (DigestValue) URI="" )+ Part of document URI="#PurchaseOrder" (SignatureValue) (KeyInfo)? Attachments (Object)* KeyInfoKeyInfo == certificatecertificate

C14NC14N CanonicalizationNCanonicalizationN ((‘‘CC’’+14+14 charschars ++ ’’NN’’)) ““StandardizeStandardize ”” thethe XMLXML documentdocument Standard encoding (UTF -8) Line breaks: # xA (new line) Attributes: normalize white space single quotes double quotes quotes wihtin quotes " ; Remove XML and DTD declarations Empty: Namespaces declarations: remove unused, sort …

bbbb

ForFor eacheach referencereference Transform (usually c14n) Calculate digest Create ForFor (containing(containing allall References)References) Canonicalize “Indirect” signing 1. Hash of every reference Calculate digest 2. Hash of the hashes Encrypt digest (= sign) 3. Sign the “hash of the hashes” Result in

1 2 Transform ... (hash) Digest … ... - Transform (Canonicalize) - Digest - Encrypt … >…hTHQJyd3C6ww… www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” X509TokenX509Token ProfileProfile

FIgEZzCRF1EgILBAgIQEmtJZc0rqrKh5i... …. Certificate:Certificate: Container for public key Identity owner of private key Attested by the CA

FIgEZzCRF1EgILBAgIQEmtJZc0rqrKh5i... EULddytSo1...

XLdER8=ErToEb1l/vXcMZNNjPOV... 1234

AdditionAddition toto XMLXML SignatureSignature wsuwsu WWebeb SServiceservices UUtilitytility

2005-03-03T01:42:00Z 2005-03-04T01:00:00Z ... ...

SAMLSAML TokenToken ProfileProfile SecuritySecurity RoadmapRoadmap WSWS --TrustTrust InfoCardInfoCard RealReal world,world, securesecure webweb service:service: PaypalPaypal SecuritySecurity inin HardwareHardware

TheThe SSecurityecurity AAssertionsssertions MMarkuparkup LLanguageanguage isis anan XMLXML --basedbased frameworkframework forfor WebWeb servicesservices thatthat enablesenables thethe exchangeexchange ofof authenticationauthentication andand authorizationauthorization informationinformation amongamong businessbusiness partners.partners. PrePre --datesdates WSWS --** UseUse --cases:cases: SingleSingle SignSign --On,On, AuthorizationAuthorization Service,Service, BackBack --officeoffice transactiontransaction OASISOASIS includedincluded SAMLSAML inin WSWS --SecuritySecurity StrongStrong focusfocus onon SingleSingle SignSign --OnOn fromfrom browserbrowser

Assertion Client Response Server “Subject” +Assertion

Protocol:Protocol: HTTP,HTTP, SMTP,SMTP, SOAPSOAP ,, JMS,JMS, ebXMLebXML ,, ……

www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” SAMLSAML AssertionAssertion oasis:names:tc:SAML:2.0:am:password" AuthenticationInstant="2005-03-15T17:05:17.706Z"> AssertionAssertion uid=GuyCrets CanCan alsoalso bebe DigitallyDigitally SignedSigned urn:oasis:names:tc:SAML:2.0:cm:artifact-01 www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” WSWS --SecuritySecurity && SAMLSAML SAML in front of SAML SOAP Message WS-Security SOAP Header

...

WS-Secure WS- WS-Federation Conversation Authorization

WS-Policy WS-Trust WS-Privacy

WS-Security

SOAP Foundation

Claim Security IssuanceIssuance Client Token Service ~~ SAMLSAML AuthenticationAuthentication Token

Token Security ValidationValidation Client Token Service Decision

ExchangeExchange Token Security ConvertConvert X509X509 oror SAMLSAML Client Token Service toto KerberosKerberos Token

PolicyPolicy PolicyPolicy

STS “Trust” STS

Issue WS -Trust WS -Trust Validate Token Token Exchange Exchange Client Server WS -Security with Token

WSWS --MEXMEX WSWS --SecuritySecurity UsersUsers selectsselects PolicyPolicy ““identityidentity ””

WSWS --TrustTrust e.g.e.g. SAMLSAML

WSWS --SecuritySecurity

www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” SpecializedSpecialized WSWS SecuritySecurity productsproducts && vendorsvendors AgentsAgents // PEPPEP Features Enforce policies (PEP) Proxies or plugged into Sign, validate WS -Stack Encrypt/decrypt Overlap between Support WS -Security, SAML, … Access Control - Integrate with tools/products for Securing LDAP and Identity Mgt. Solutions & Managing web services Data validation: against WSDL WS -Policy support against schema ’s (Reverse) Proxy Detect Denial -Of -Service Audit trail Route message

Client Server

XSLT XQuery Security Security ... … Routing SOAP Routing WS-Manag. WS-Manag. Security Security

......

WS-Manag. WS-Manag.

Salesforce.comSalesforce.com Userid & password (no WS -Security) Returns session -id and new server URL e.g. https:// na1 -api .salesforce.com/services/Soap/c/7.0 AmazonAmazon S3S3 Signature: RFC 2104 HMAC -SHA1 of "AmazonS3 “+ OPERATION + Timestamp e.g. AmazonS3CreateBucket2005 -01 -31T23:59:59.183Z PayPalPayPal PaypalUses HTTPS with client certificate or “Signature ”

www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” PayPalPayPal ““SignatureSignature ”” api :PayPalAPI " ... > business_api1.test.be V9VTSDBRJXXH6TCS AFcWxV21C7fd0v3bYYYRCp ...

Sarvega'sSarvega's XPEXPE 20002000 ForumForum Systems'Systems' XWallXWall DataPower'sDataPower's XS40XS40 XMLXML SecuritySecurity GatewayGateway (IBM)(IBM)

WestbridgeWestbridge Technology'sTechnology's XMLXML MessageMessage ServerServer Vordel'sVordel's VordelSecureVordelSecure Reactivity'sReactivity's ReactivityReactivity XMLXML FirewallFirewall DigitalDigital EvolutionEvolution CISCOCISCO AONAON

B2B WS Used for request/reply EDIINT (RPC) within organizations AS2 Communication EDI VAN “Bus” Value Added Firewall Network Messaging used for both Transaction request/reply (RPC) and Delivery Network asynchronous communication EAI www .apogado .com Copyright © 2006 – Apogado CVBA “the IntegrationEngineers ” EAI:EAI: EnterpriseEnterprise ServiceService BusBus

Communication Bus Eg JMS

Design & Routing Monitoring configuration XPath

Process Transform Adapter Engine XSLT JCA BPEL4WS

EDIEDI VANVAN RosettaNet – CIDX – PIDX ebXML EDIINT AS1/AS2/AS3 BizTalk Framework 2.0 FTP, FTPS (over SSL), SFTP (SSH), …

AlmostAlmost nono WebWeb ServicesServices SwA: BizTalk Framework and ebXML XML over HTTP, FTP, ... EDIINT: can carry XML, but mostly EDIFACT & X12 AcknowledgementsAcknowledgements EDIINT: Message Disposition Notification SecuritySecurity SSL of course RosettaNet & EDIINT: S/MIME and PKCS7 ebXML: XML Signing (pre -dates WS -Security)

WSWS --standardsstandards areare ““settlingsettling ”” WSWS --SecuritySecurity ++ WSWS --RMRM ++ WSWS --AddressingAddressing MoreMore patiencepatience (why(why doesdoes itit taketake soso long?)long?) LessonsLessons fromfrom previousprevious technologies,technologies, e.g.e.g. EDIEDI WSDLWSDL first,first, knowknow youryour XMLXML (Schema(Schema ’’s)s) MakeMake youryour webweb serviceservice securesecure AndAnd ““AsynchronousAsynchronous ”” EAI/ESBEAI/ESB asas ““steppingstepping stonestone ””

Guy Crets [email protected] +32.(0)479.27.36.58 Apogado CVBA www.apogado.com www.integrationengineers.com