DOCSLIB.ORG

Formal Analysis of Security Protocols Based on Web Services

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Formal Analysis of Security Protocols Based on Web Services Formal Analysis of Security Protocols Based on Web Services Fatima Shabbir August 8, 2011 UMI Number: U585480 All rights reserved INFORMATION TO ALL USERS The quality of this reproduction is dependent upon the quality of the copy submitted. In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if material had to be removed, a note will indicate the deletion. Dissertation Publishing UMI U585480 Published by ProQuest LLC 2013. Copyright in the Dissertation held by the Author. Microform Edition © ProQuest LLC. All rights reserved. This work is protected against unauthorized copying under Title 17, United States Code. ProQuest LLC 789 East Eisenhower Parkway P.O. Box 1346 Ann Arbor, Ml 48106-1346 Contents 1 Introduction 1 1.1 Web S e rv ic e s ..................................................................................... 2 1.1.1 Web Services S e c u r ity .......................................................... 3 1.1.2 The Xeed for New Security Specifications for Web Ser­ vices 6 1.1.3 XML-based Web Services Security Specifications .... 7 1.1.4 WS-* based Web Services Security Specifications . 10 1.1.5 Security R equirem ents ..............................................................15 1.1.6 Vulnerabilities of WS-* Specifications ............................... 16 1.2 Formal M ethods .................................................................................. 19 1.2.1 Model Checking ........................................................................... 22 1.2.2 Spin Model Checker ..................................................................23 1.3 Problem Form ulation ............................................................................24 1.3.1 Research Objectives ..................................................................24 1.3.2 Proposed Analysis .....................................................................25 1.4 Attack M o d e l ........................................................................................... 27 1.5 Thesis Overview ....................................................................................... 29 2 Literature Review 31 3 System Model 49 3.1 Chapter Objectives .............................................................................. 49 3.2 Model C hecking .......................................................................................50 3.2.1 Model Checking P ro c e ss .......................................................... 50 3.3 Modelling Cryptographic Protocols ................................................. 51 3.3.1 Guidelines for Modelling Cryptographic Protocols . 53 3.4 Security Protocol M odels .......................................................................56 3.4.1 Simple Message Exchange P ro to c o l .....................................57 3.4.2 Security Token P r o to c o l ........................................................ 61 3.5 Environment Model for P ro to c o ls ...................................................... 65 3.5.1 Environment Model for SM E P .................................................67 3.5.2 Environment Model for ST P .................................................... 71 3.6 Intruder Model for Protocols ................................................................ 76 3.6.1 Manipulated Protocol Run for S M E P ...................................77 3.6.2 Manipulated Protocol Run for S T P ...................................... 78 3.7 System Properties ....................................................................................79 3.7.1 Property Specification for S M E P ......................................... 80 3.7.2 Property Specification for STP .............................................82 3.8 Concluding Remarks ............................................................................. 84 4 Modelling Protocols with Automata 87 4.1 Chapter O bjectives .................................................................................87 4.2 Pushdown automaton ............................................................................. 88 4.3 Simple Message Exchange Protocol ................................................... 90 4.4 Security Token Protocol .....................................................................102 4.5 Concluding Rem arks ........................................................................... 116 5 Promela Model 118 5.1 Chapter O b jectiv es ...............................................................................119 5.2 Introduction to Prom ela .....................................................................121 5.3 System Modelling S te p s ..................................................................... 122 5.3.1 Simple Message Exchange P ro to c o l ................................... 125 5.3.2 Security Token Protocol ....................................................... 139 5.4 Concluding Remarks ............................................................................155 6 Simulation and Verification Results 156 6.1 Chapter O b jectiv es ...............................................................................157 6.2 Simulation R e s u lts ...............................................................................158 6.2.1 Simple Message Exchange Protocol ................................... 158 6.2.2 Security Token Protocol .......................................................167 6.3 Verification ............................................................................................174 6.3.1 Simple Message Exchange Protocol ................................... 177 6.3.2 Security Token Protocol .......................................................178 6.4 Concluding R e m a rk s ...........................................................................179 ii 7 XML Injection Attack Model 181 7.1 Simple Message Exchange Protocol .................................................183 7.1.1 T y p e s .........................................................................................183 7.1.2 C hannels ..................................................................................... 184 7.1.3 Global Variables .....................................................................185 7.1.4 Principal P ro cesses ..................................................................185 7.2 Security Token Protocol .................................................................... 191 7.2.1 T y p e s ........................................................................................ 192 7.2.2 Channels ......................................................................................193 7.2.3 Global Variables ..................................................................... 193 7.2.4 Principal P ro cesses ..................................................................194 7.3 Concluding Remarks ...........................................................................201 8 Simulation and Verification for XML Injection Attack 202 8.1 Simulation R e s u lts .............................................................................. 202 8.1.1 Simple Message Exchange Protocol .....................................202 8.1.2 Security Token Protocol ........................................................ 208 8.2 Verification Results .............................................................................. 216 8.2.1 Simple Message Exchange P ro to c o l .................................... 216 8.2.2 Security Token P r o to c o l ........................................................217 8.3 Concluding Remarks ...........................................................................217 9 Conclusions and Future Work 220 Bibliography 229 Appendix: SMEP 242 Appendix: STP 245 List of Figures 1.1 Web Services Security Stack ............................................................. 14 1.2 SOAP envelope incorporating WS-Security ................................ 15 1.3 Message tampering scenario in a secure session .............................. 28 1.4 An XML rewriting a t t a c k .............................................................. 29 3.1 Schematic view of Model Checking approach ................................. 52 3.2 Security Token Protocol ..................................................................... 66 4.1 Simple Message Exchange Protocol automaton ..............................93 4.2 Security Token Protocol Protocol automaton .................................107 5.1 Types of O b je c ts ................................................................................ 120 6.1 Message sequence chart for A —>• B ................................................160 6.2 Message Sequence Chart for A—>4 ...................................................162 6.3 Message Sequence Chart for A —> I followed by 1(A) —> B. 164 6.4 Message Sequence Chart for I —>• B ................................................165 6.5 Message Sequence Chart for I —► B followed by A —>1(B). 167 6.6 Message Sequence Chart for A —► STS ..........................................169 6.7 Message Sequence Chart for I —► S T S ..........................................171 6.8 Message Sequence Chart for 1(A) -» STS ..................................... 173 8.1 Message Sequence Chart for SMEP XML Content Injection Attack....................................................................................................... 205 8.2 Message Sequence Chart - SMEP XML Element Injection At­ tack............................................................................................................207
Load more

Recommended publications
  • Security on the Mainframe Stay Connected to IBM Redbooks
    Front cover Security on the IBM Mainframe Operating system and application security IBM Security Blueprint and Framework IBM mainframe security concepts Karan Singh Lennie Dymoke-Bradshaw Thomas Castiglion Pekka Hanninen Vincente Ranieri Junior Patrick Kappeler ibm.com/redbooks International Technical Support Organization Security on the IBM Mainframe April 2010 SG24-7803-00 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. First Edition (April 2010) This edition applies to the IBM System z10 Enterprise Class server, the IBM System z10 Business Class server, and Version 1, Release 11, Modification 0 of z/OS (product number 5694-A01). © Copyright International Business Machines Corporation 2010. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x Preface . xi The team who wrote this book . xi Now you can become a published author, too! . xii Comments welcome. xii Stay connected to IBM Redbooks . xiii Part 1. Introduction . 1 Chapter 1. Introduction. 3 1.1 IBM Security Framework. 4 1.1.1 People and identity . 5 1.1.2 Data and information. 5 1.1.3 Application and process . 5 1.1.4 Network, server, and endpoint . 5 1.1.5 Physical Infrastructure . 6 1.2 Framework and Blueprint . 7 1.3 IBM Security Blueprint. 7 Chapter 2. Security of the IBM Mainframe: yesterday and today . 13 2.1 Operating systems . 14 2.1.1 z/OS operating system family . 14 2.1.2 z/VM Hypervisor family .
    [Show full text]
  • IBM Security Access Manager Version 9.0.7 June 2019: Advanced Access Control Configuration Topics Contents
    IBM Security Access Manager Version 9.0.7 June 2019 Advanced Access Control Configuration topics IBM IBM Security Access Manager Version 9.0.7 June 2019 Advanced Access Control Configuration topics IBM ii IBM Security Access Manager Version 9.0.7 June 2019: Advanced Access Control Configuration topics Contents Figures .............. vii Configuring authentication ........ 39 Configuring an HOTP one-time password Tables ............... ix mechanism .............. 40 Configuring a TOTP one-time password mechanism 42 Configuring a MAC one-time password mechanism 45 Chapter 1. Upgrading configuration ... 1 Configuring an RSA one-time password mechanism 46 Upgrading external databases with the dbupdate tool Configuring one-time password delivery methods 50 (for appliance at version 9.0.0.0 and later) .... 2 Configuring username and password authentication 54 Upgrading a SolidDB external database (for Configuring an HTTP redirect authentication appliance versions earlier than 9.0.0.0) ...... 3 mechanism .............. 56 Upgrading a DB2 external runtime database (for Configuring consent to device registration .... 57 appliance versions earlier than 9.0.0.0) ...... 4 Configuring an End-User License Agreement Upgrading an Oracle external runtime database (for authentication mechanism ......... 59 appliance versions earlier than 9.0.0.0) ...... 5 Configuring an Email Message mechanism .... 60 Setting backward compatibility mode for one-time HTML format for OTP email messages .... 62 password ............... 6 Configuring the reCAPTCHA Verification Updating template files ........... 6 authentication mechanism ......... 62 Updating PreTokenGeneration to limit OAuth tokens 7 Configuring an Info Map authentication mechanism 64 Reviewing existing Web Reverse Proxy instance point Embedding reCAPTCHA verification in an Info of contact settings ............ 8 Map mechanism ............ 66 Upgrading the signing algorithms of existing policy Available parameters in Info Map .....
    [Show full text]
  • Pdf/Idm Tech Wp 11G R1.Pdf
    Oracle® Fusion Middleware Integration Overview for Oracle Identity Management Suite 11g Release 1 (11.1.1) E15477-03 August 2012 Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite, 11g Release 1 (11.1.1) E15477-03 Copyright © 2010, 2012, Oracle and/or its affiliates. All rights reserved. Primary Author: Vinaye Misra Contributors: Sidhartha Das, Ellen Desmond, Subbu Devulapalli, Sandy Lii, Kavya Muthanna, Sanjay Rallapalli, Vinay Shukla, Olaf Stullich, Lyju Vadassery, Mark Wilcox This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
    [Show full text]
  • Understanding SOA Security Design and Implementation
    Front cover Understanding SOA Security Design and Implementation Introducing an SOA security reference architecture Implementing scenarios based on the IBM SOA Foundation Deploying SOA using IBM Tivoli security solutions Axel Buecker Paul Ashley Martin Borrett Ming Lu Sridhar Muppidi Neil Readshaw ibm.com/redbooks International Technical Support Organization Understanding SOA Security Design and Implementation November 2007 SG24-7310-01 Note: Before using this information and the product it supports, read the information in “Notices” on page xi. Second Edition (November 2007) This edition applies to Version 6.0 of IBM Tivoli Access Manager for e-business, Version 6.1.1 of IBM Tivoli Federated Identity Manager, and Version 6.0 of IBM Tivoli Directory Server. We are also discussing several other IBM software products in the context of hands-on scenarios. © Copyright International Business Machines Corporation 2007. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . .xi Trademarks . xii Preface . xiii The team that wrote this IBM Redbook . xiii Become a published author . xvi Comments welcome. xvi Summary of changes . xvii November 2007, Second Edition . xvii Part 1. Business context and foundation . 1 Chapter 1. Business context . 3 1.1 Business scenarios . 4 1.1.1 Service creation at an insurance company . 4 1.1.2 Service connectivity at a government department . 5 1.1.3 Interaction and collaboration at a telecommunications company . 5 1.2 Service orientation in SOA . 6 1.2.1 More than componentization. 7 1.2.2 A focus on reuse .
    [Show full text]
  • IBM Tivoli Security Solutions for Microsoft Software Environments
    Front cover IBM Tivoli Security Solutions for Microsoft Software Environments Explaining common architecture and standards Deploying on Microsoft operating systems Securing Microsoft software environments Axel Buecker Neil Readshaw ibm.com/redbooks Redpaper International Technical Support Organization IBM Tivoli Security Solutions for Microsoft Software Environments September 2008 REDP-4430-00 Note: Before using this information and the product it supports, read the information in “Notices” on page v. First Edition (September 2008) This document created or updated on September 18, 2008. © Copyright International Business Machines Corporation 2008. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . .v Trademarks . vi Preface . vii The team that wrote this paper . vii Become a published author . viii Comments welcome. viii Chapter 1. Architecture and standards . 1 1.1 IBM Security Framework. 2 1.2 IBM Service Management strategy . 3 1.2.1 Visibility . 3 1.2.2 Controls. 3 1.2.3 Automation . 3 1.3 Security standards . 4 1.3.1 LDAP. 4 1.3.2 Kerberos . 4 1.3.3 SPNEGO. 4 1.3.4 SSL and TLS. 5 1.3.5 Service-oriented architecture and Web Services Security . 5 1.4 Conclusion . 9 Chapter 2. IBM Tivoli Security Solutions using Microsoft operating systems and middleware . 11 2.1 Microsoft products that we discuss in this chapter . 12 2.1.1 Operating systems . 12 2.1.2 Middleware . 12 2.2 Support summary by IBM Tivoli Security product . 13 2.2.1 IBM Tivoli Directory Server .
    [Show full text]
  • Cloud Access Manager Overview Updated - November 2018 Version - 8.1.4 Contents
    Cloud Access Manager 8.1.4 Overview Copyright 2018 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of One Identity LLC . The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice.
    [Show full text]
  • Vendor: Microsoft Exam Code: 70-534 Exam Name: Architecting
    Vendor: Microsoft Exam Code: 70-534 Exam Name: Architecting Microsoft Azure Solutions Version: DEMO ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee Case Study 1 - VanArsdel, Ltd (Question 1 - Question 8) Case Study 2 - Trey Research (Question 53 - Question 57) Case Study 3 - Contoso, Ltd (Question 58 - Question 62) Case Study 4 - Lucerne Publishing (Question 63 - Question 68) Case Study 5 - Northwind traders (Question 69 - Question 77) Case Study 6 - Fourth Coffee (Question 180 - Question 187) Case Study 7 - Trey Research (Question 188 - Question 195) Case Study 8 - Woodgrove Bank (Question 196 - Question 203) QUESTION 1 You need to recommend a solution that allows partners to authenticate. Which solution should you recommend? A. Configure the federation provider to trust social identity providers. B. Configure the federation provider to use the Azure Access Control service. C. Create a new directory in Azure Active Directory and create a user account for the partner. D. Create an account on the VanArsdel domain for the partner and send an email message that contains the password to the partner. Answer: B Explanation: * Scenario: The partners all use Hotmail.com email addresses. * In Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS), an identity provider is a service that authenticates user or client identities and issues security tokens that ACS consumes. The ACS Management Portal provides built-in support for configuring Windows Live ID as an ACS Identity Provider. Incorrect: Not C, not D: Scenario: VanArsdel management does NOT want to create and manage user accounts for partners.
    [Show full text]
  • Identity Authentication Service SAP Cloud Platform
    Identity Authentication Service SAP Cloud Platform Marko Sommer, SAP July 26th, 2017 PUBLIC Legal disclaimer The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
    [Show full text]
  • Cloud Access Manager Security and Best Practices Guide Updated - November 2018 Version - 8.1.4 Contents
    Cloud Access Manager 8.1.4 Security and Best Practices Guide Copyright 2018 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of One Identity LLC . The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice.
    [Show full text]
  • Federated Identity Management and Web Services Security with IBM Tivoli Security Solutions
    Front cover Federated Identity Management and Web Services Security with IBM Tivoli Security Solutions Introduction to Web services security standards Complete product architecture and component discussion Extensive federation business scenario Axel Buecker Werner Filip Heather Hinton Heinz Peter Hippenstiel Mark Hollin Ray Neucom Shane Weeden Johan Westman ibm.com/redbooks International Technical Support Organization Federated Identity Management and Web Services Security with IBM Tivoli Security Solutions October 2005 SG24-6394-01 Note: Before using this information and the product it supports, read the information in “Notices” on page xiii. Second Edition (October 2005) This edition applies to Version 6 of Tivoli Federated Identity Manager (product number 5724-L73) and to all subsequent releases and modifications until otherwise indicated in new editions. Various other related IBM and Tivoli products are mentioned in this book. © Copyright International Business Machines Corporation 2004, 2005. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . xiii Trademarks . xiv Preface . xv The team that wrote this redbook. xvi Become a published author . xviii Comments welcome. xix Part 1. Architecture and design . 1 Chapter 1. Business context for identity federation . 3 1.1 Federated identity . 4 1.2 Business environment . 5 1.2.1 Deconstruction of the enterprise . 5 1.2.2 Enterprise re-aggregation . 6 1.2.3 High-level example of a re-aggregated business . 7 1.2.4 Business models for federated identity . 9 1.2.5 The relationship - Trust and assurance. 15 1.3 IT environment . 17 1.3.1 The role of identity management.
    [Show full text]
  • Security As a Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security Landscape
    Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security Landscape 11/19/14 2 Solution Building blocks ● Apache CXF Fediz ● Single Sign On (WS-Federation) ● Attribute Based Access Control (SAML AttributeStatement) ● Identity Provider and Application Server Plugin ● Apache Syncope ● IAM (User management, Attribute Management, Provisioning) ● Connector LDAP ● Apache DS ● LDAP Server ● PostgreSQL ● Database for Syncope and Fediz IDP 11/19/14 3 Solution Building blocks Demo Federation/SSO with Apache Tomcat Application 11/19/14 4 Solution Building blocks Apache CXF Fediz 11/19/14 5 Apache CXF Fediz ● Sub-project of Apache CXF project ● Work started mid of 2011 ● Community growing ● First release in June 2012 ● Current release 1.1.2 ● Finishing work for 1.2 11/19/14 6 OASIS WS-Federation 1.2 ● OASIS Standard 2009 ● Security Token agnostic (SAML 1.1/2.0, …) ● Extends OASIS WS-Trust ● Browser and Web Services SSO ● PRP adapts Browsers to WS-Trust ● No connectivity between Application and IDP required (Cloud) ● Claims/Attribute Based Access Control ● Supports several Authentication domains 11/19/14 7 ) Security Tokens STS ) ( issued by STS (IDP Fediz IDP Identity Provider Security Token Service Fediz STS 8 ) -Federation (RP WS -Trust WS Web Application n WS-Federation o i n Fediz Plugin t Relying Party e a k c i o t T n e h t u A Servlet Container Access Web Application Redirect to IDP HTTPS Browser User Machine 11/19/14 Fediz Plugin ● WS-Federation 1.0/1.1/1.2 ● SAML 1.1 / 2.0 Tokens ● SAML-P support ● IDP
    [Show full text]
  • IBM Presentations
    1 2 3 Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record 5 White boxes show the access points for different kinds of security. That’s what we will talk about: Security points for an Enterprise Server. What are the Security scenarios: Inbound: protecting transactions, commands & Data Outbound: messages will need to carry some form of an authentication mechanism The OTMA Resume TPIPE Security exit routine (DFSYRTUX) is one of two possible methods that you can use to secure messages queued on the OTMA asynchronous hold queue. The other possible method of securing messages on the asynchronous hold queue is to use an external security product, such as RACF. The DFSYRTUX exit routine and an external security product can each by used by itself or in combination with each other. The DFSYRTUX exit routine runs in the IMS control region. You can set a default RACF user ID for IMS Connect to use when the input message either does not contain a userid in the header or the field is blank. When the default RACF userid is used, IMS Connect passes it in the OMSECUID field of the input message to OTMA. When OTMA security checking is enabled, OTMA uses the RACF userid for authorizing commands, transactions, and RESUME TPIPE calls with RACF. When both a default RACF userid is defined and the incoming message header userid field is not blank, IMS Connect uses the userid value in the message header. A lot of people also use IMS Connect Extensions. Connect extensions also implements these security exit routines.
    [Show full text]