DOCSLIB.ORG

Secured Web Services Specifications by Sudeep Mukherjee & Dr

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Secured Web Services Specifications by Sudeep Mukherjee & Dr Global Journal of Computer Science and Technology Network, Web & Security Volume 12 Issue 17 Version 1.0 Year 2012 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals Inc. (USA) Online ISSN: 0975-4172 & Print ISSN: 0975-4350 Secured Web Services Specifications By Sudeep Mukherjee & Dr. Rizwan Beg Integral University Lucknow, India Abstract - The proliferation of XML based web services in the IT industry not only gives rise to opportunities but challenges too. Namely the challenges of security and a standard way of maintaining it across domains and organisational boundaries. OASIS, W3C and other organisations have done some great work in bringing about this synergy. What I look in this paper are some of the more popular standards in vogue today and clubbed under WS-* specification. I will try to give an overview of various frameworks and protocols being used to keep web-services secure. Some of the major protocols looked into are WS-Security, SAML, WS-Federation, WS-Trust, XML-Encryption and Signature. This paper will give you a brief introduction to impact of using WS-* on time complexity due to the extra load of encrypting and certificates. Windows communication foundation (WCF) is one of the best designed toolset for this though WCF is not the topic of discussion in this paper. Keywords : soa; web-service; ws-security; ws-trust; ws-federation; xml; soap. GJCST-E Classification : D.4.6 Secured Web Services Specifications Strictly as per the compliance and regulations of: © 2012. Sudeep Mukherjee & Dr. Rizwan Beg. This is a research/review paper, distributed under the terms of the Creative Commons Attribution-Noncommercial 3.0 Unported License http://creativecommons.org/licenses/by-nc/3.0/), permitting all non-commercial use, distribution, and reproduction inany medium, provided the original work is properly cited. Secured Web Services Specifications Sudeep Mukherjee α & Dr. Rizwan Beg σ Abstract - The proliferation of XML based web services in the option just install a firewall or intrusion detection IT industry not only gives rise to opportunities but challenges software this kept their domain and data safe but as too. Namely the challenges of security and a standard way of mentioned earlier with the new concept of application- maintaining it across domains and organisational boundaries. to-application cross domain communication firewalls OASIS, W3C and other organisations have done some great have become defunct to a large extent. Firewalls isolate work in bringing about this synergy. What I look in this paper are some of the more popular standards in vogue today and an organization’s network system but allow two TCP 2012 clubbed under WS-* specification. I will try to give an overview ports remain open - port 80 for HTTP and port 447 for Year of various frameworks and protocols being used to keep web- HTTPS[2]. services secure. Some of the major protocols looked into are These ports are used for communication to 15 WS-Security, SAML, WS-Federation, WS-Trust, XML- send and receive Web pages. This deadly combination Encryption and Signature. This paper will give you a brief of easy access and human readable data is a goldmine introduction to impact of using WS-* on time complexity due to for attackers. Irrespective of the level of SOA integration the extra load of encrypting and certificates. Windows security should be one of the top priorities of any communication foundation (WCF) is one of the best designed organisation. Every computer based organization must toolset for this though WCF is not the topic of discussion in this paper. revisit their security strategy for facing new security Keywords : soa; web-service; ws-security; ws-trust; ws- challenges posed by Web Services. Some of these federation; xml; soap. issues are • Legacy applications work on the concept that I. INTRODUCTION authentication alone can filter out the unwanted ependable and secure computing intends to attackers unfortunately this assumption in new provide services with a high degree of internet infrastructure is grossly mistaken. These availability(A), reliability, safety, integrity (I), applications do not have the where withals to face D the new age attackers. ) D DD E maintainability, and confidentiality (C)[1]. Old D fashioned Human-to-Machine interaction is a forgotten • Most organisations to save cost have used the ( story on World Wide Web. Increasingly we see that strategy to keep their core application the same and application-to-application interaction is running our expose them to the World Wide Web through a layer internet. Therefore it is not surprising when we humans of web-services, this causes an immediate security interact with the web majority of work is done by these hole and more often than not the business logic is software agents communicating with other computer compromised. systems requesting service and getting the desired • Validation checks are kept on the client-side UI, this result in response. is not the approved way of doing business in a SOA This has radically changed the efficiency as well based architecture as customer satisfaction for online business houses, so • As mentioned earlier firewalls or packet-filters at the much so that many business models have no to minimal network level are incapable of detecting malicious human intervention. As such new technologies, behaviour of XML/SOAP based attackers. protocols and frameworks have flooded the market. Yet Transport Layer Security (TLS), is the most this great leap has a very dark side to it too. The popular tool used to secure web-based data through expansion of application-application messaging authentication and encryption. Unfortunately in the case infrastructure has attracted old and new attackers who of SOA because TLS works between two endpoints it are bent upon destroying or breaking this system for has no way of protecting multiple points or financial gains. intermediaries. SOAP requires protection of its E-commerce application are the favourite messages as it is passed through a chain of Global Journal of Computer Science and Technology Volume XII Issue XVII Version I hunting ground for attackers who would like nothing intermediaries, this is the inherent nature that makes more than to get their hands on the sensitive back end Web-Services most vulnerable. data like, customer profile, cards, addresses etc. In the As security solution on a transport layer, the TLS years gone by most of the companies had an easy couldn’t provide flexibility for message transmitting, such as encrypted different elements of the message by Author α : Department of Computer Science & Engineering, Integral different key, in which recipients could only read parts of University Lucknow, India. E-mail : [email protected] Author σ : HOD Department of Computer Science & Engineering, the message about him.[3] Integral University Lucknow, India. E-mail : [email protected] ©2012 Global Journals Inc. (US) Secured Web Services Specifications Because of their nature (loosely coupled authorization data between entities SAML is a product of connections) and their use of open access (mainly the OASIS Security Services Technical Committee.[6] HTTP), SOA infrastructures implemented by web A SAML specification defines services add a new set of requirements to the security • Assertions: It basically defines the three A’s i.e. landscape. Web services security requirements also Attribute, Authentication and Authorization data. involve credential mediation (exchanging security tokens • Protocol: This defines the main elements taking in a trusted environment), and service capabilities and place in the Web-Service Request/Response constraints (defining what a web service can do, under standard and they help in packaging assertions. what circumstances).[4] • Bindings: Clearly lays out the way to map SAML Let’s look at some of the ways to keep Web- Protocols on all the other messaging and Services secure. This paper tries to enumerate few of communication protocols. 2012 the security tools that have been introduced by the • Profiles: Defines the combination of bindings, industry which make Web Services more secure. The assertions and protocols to support a particular use Year first major aspect that I will look into is Authentication. case. 16 II. AUTHENTICATION Authentication is needed to protect resources and control the access to these resources. If SOA concepts are to be implemented then the authentication procedure should be seamless between different entities and the user should not be asked to login more than once. Service-to-service authentication is possible using variety of methods like HTTP-based to SSL certificate based. If we look into the SOAP message then the new protocols gives us an added option of passing tokens along with the SOAP request. Mostly the Figure 1 : SAML Structure HTTP and SSL based authentication is transparent to ) the Web service while SOAP-based token protocols An assertion contains a packet of security D DD E D ( require interaction between Web services. information Web services that use tokens for authentication <saml:Assertion…> are best served by the OASIS WS-Security standard. … Currently five token types are defined. These are the </saml:Assertion> Username Token, X.509 token, the SAML token, saml:AssertionType Kerberos token, and the Rights Expression Language (REL) token. When a service provider attempts to saml:Issuer access a remote Web service, it has the option to send an authentication token, impersonating the user within a ds:Signature WS-Security message. Assertions saml:Subject 1) Username Token 2) X.509 Certificate Token saml:Condition An X.509 certificate specifies a binding between a public key and a set of attributes that includes (at saml:Advice least) a subject name, issuer name, serial number and validity interval. This binding may be subject to saml:Statement subsequent revocation advertised by mechanisms that include issuance of CRLs, OCSP tokens or mechanisms saml:AuthnStatement that are outside the X.509 framework, such as XKMS.
Load more

Recommended publications
  • Security on the Mainframe Stay Connected to IBM Redbooks
    Front cover Security on the IBM Mainframe Operating system and application security IBM Security Blueprint and Framework IBM mainframe security concepts Karan Singh Lennie Dymoke-Bradshaw Thomas Castiglion Pekka Hanninen Vincente Ranieri Junior Patrick Kappeler ibm.com/redbooks International Technical Support Organization Security on the IBM Mainframe April 2010 SG24-7803-00 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. First Edition (April 2010) This edition applies to the IBM System z10 Enterprise Class server, the IBM System z10 Business Class server, and Version 1, Release 11, Modification 0 of z/OS (product number 5694-A01). © Copyright International Business Machines Corporation 2010. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x Preface . xi The team who wrote this book . xi Now you can become a published author, too! . xii Comments welcome. xii Stay connected to IBM Redbooks . xiii Part 1. Introduction . 1 Chapter 1. Introduction. 3 1.1 IBM Security Framework. 4 1.1.1 People and identity . 5 1.1.2 Data and information. 5 1.1.3 Application and process . 5 1.1.4 Network, server, and endpoint . 5 1.1.5 Physical Infrastructure . 6 1.2 Framework and Blueprint . 7 1.3 IBM Security Blueprint. 7 Chapter 2. Security of the IBM Mainframe: yesterday and today . 13 2.1 Operating systems . 14 2.1.1 z/OS operating system family . 14 2.1.2 z/VM Hypervisor family .
    [Show full text]
  • IBM Security Access Manager Version 9.0.7 June 2019: Advanced Access Control Configuration Topics Contents
    IBM Security Access Manager Version 9.0.7 June 2019 Advanced Access Control Configuration topics IBM IBM Security Access Manager Version 9.0.7 June 2019 Advanced Access Control Configuration topics IBM ii IBM Security Access Manager Version 9.0.7 June 2019: Advanced Access Control Configuration topics Contents Figures .............. vii Configuring authentication ........ 39 Configuring an HOTP one-time password Tables ............... ix mechanism .............. 40 Configuring a TOTP one-time password mechanism 42 Configuring a MAC one-time password mechanism 45 Chapter 1. Upgrading configuration ... 1 Configuring an RSA one-time password mechanism 46 Upgrading external databases with the dbupdate tool Configuring one-time password delivery methods 50 (for appliance at version 9.0.0.0 and later) .... 2 Configuring username and password authentication 54 Upgrading a SolidDB external database (for Configuring an HTTP redirect authentication appliance versions earlier than 9.0.0.0) ...... 3 mechanism .............. 56 Upgrading a DB2 external runtime database (for Configuring consent to device registration .... 57 appliance versions earlier than 9.0.0.0) ...... 4 Configuring an End-User License Agreement Upgrading an Oracle external runtime database (for authentication mechanism ......... 59 appliance versions earlier than 9.0.0.0) ...... 5 Configuring an Email Message mechanism .... 60 Setting backward compatibility mode for one-time HTML format for OTP email messages .... 62 password ............... 6 Configuring the reCAPTCHA Verification Updating template files ........... 6 authentication mechanism ......... 62 Updating PreTokenGeneration to limit OAuth tokens 7 Configuring an Info Map authentication mechanism 64 Reviewing existing Web Reverse Proxy instance point Embedding reCAPTCHA verification in an Info of contact settings ............ 8 Map mechanism ............ 66 Upgrading the signing algorithms of existing policy Available parameters in Info Map .....
    [Show full text]
  • Pdf/Idm Tech Wp 11G R1.Pdf
    Oracle® Fusion Middleware Integration Overview for Oracle Identity Management Suite 11g Release 1 (11.1.1) E15477-03 August 2012 Oracle Fusion Middleware Integration Overview for Oracle Identity Management Suite, 11g Release 1 (11.1.1) E15477-03 Copyright © 2010, 2012, Oracle and/or its affiliates. All rights reserved. Primary Author: Vinaye Misra Contributors: Sidhartha Das, Ellen Desmond, Subbu Devulapalli, Sandy Lii, Kavya Muthanna, Sanjay Rallapalli, Vinay Shukla, Olaf Stullich, Lyju Vadassery, Mark Wilcox This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
    [Show full text]
  • Understanding SOA Security Design and Implementation
    Front cover Understanding SOA Security Design and Implementation Introducing an SOA security reference architecture Implementing scenarios based on the IBM SOA Foundation Deploying SOA using IBM Tivoli security solutions Axel Buecker Paul Ashley Martin Borrett Ming Lu Sridhar Muppidi Neil Readshaw ibm.com/redbooks International Technical Support Organization Understanding SOA Security Design and Implementation November 2007 SG24-7310-01 Note: Before using this information and the product it supports, read the information in “Notices” on page xi. Second Edition (November 2007) This edition applies to Version 6.0 of IBM Tivoli Access Manager for e-business, Version 6.1.1 of IBM Tivoli Federated Identity Manager, and Version 6.0 of IBM Tivoli Directory Server. We are also discussing several other IBM software products in the context of hands-on scenarios. © Copyright International Business Machines Corporation 2007. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . .xi Trademarks . xii Preface . xiii The team that wrote this IBM Redbook . xiii Become a published author . xvi Comments welcome. xvi Summary of changes . xvii November 2007, Second Edition . xvii Part 1. Business context and foundation . 1 Chapter 1. Business context . 3 1.1 Business scenarios . 4 1.1.1 Service creation at an insurance company . 4 1.1.2 Service connectivity at a government department . 5 1.1.3 Interaction and collaboration at a telecommunications company . 5 1.2 Service orientation in SOA . 6 1.2.1 More than componentization. 7 1.2.2 A focus on reuse .
    [Show full text]
  • IBM Tivoli Security Solutions for Microsoft Software Environments
    Front cover IBM Tivoli Security Solutions for Microsoft Software Environments Explaining common architecture and standards Deploying on Microsoft operating systems Securing Microsoft software environments Axel Buecker Neil Readshaw ibm.com/redbooks Redpaper International Technical Support Organization IBM Tivoli Security Solutions for Microsoft Software Environments September 2008 REDP-4430-00 Note: Before using this information and the product it supports, read the information in “Notices” on page v. First Edition (September 2008) This document created or updated on September 18, 2008. © Copyright International Business Machines Corporation 2008. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . .v Trademarks . vi Preface . vii The team that wrote this paper . vii Become a published author . viii Comments welcome. viii Chapter 1. Architecture and standards . 1 1.1 IBM Security Framework. 2 1.2 IBM Service Management strategy . 3 1.2.1 Visibility . 3 1.2.2 Controls. 3 1.2.3 Automation . 3 1.3 Security standards . 4 1.3.1 LDAP. 4 1.3.2 Kerberos . 4 1.3.3 SPNEGO. 4 1.3.4 SSL and TLS. 5 1.3.5 Service-oriented architecture and Web Services Security . 5 1.4 Conclusion . 9 Chapter 2. IBM Tivoli Security Solutions using Microsoft operating systems and middleware . 11 2.1 Microsoft products that we discuss in this chapter . 12 2.1.1 Operating systems . 12 2.1.2 Middleware . 12 2.2 Support summary by IBM Tivoli Security product . 13 2.2.1 IBM Tivoli Directory Server .
    [Show full text]
  • Cloud Access Manager Overview Updated - November 2018 Version - 8.1.4 Contents
    Cloud Access Manager 8.1.4 Overview Copyright 2018 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of One Identity LLC . The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice.
    [Show full text]
  • Vendor: Microsoft Exam Code: 70-534 Exam Name: Architecting
    Vendor: Microsoft Exam Code: 70-534 Exam Name: Architecting Microsoft Azure Solutions Version: DEMO ★ Instant Download ★ PDF And VCE ★ 100% Passing Guarantee ★ 100% Money Back Guarantee Case Study 1 - VanArsdel, Ltd (Question 1 - Question 8) Case Study 2 - Trey Research (Question 53 - Question 57) Case Study 3 - Contoso, Ltd (Question 58 - Question 62) Case Study 4 - Lucerne Publishing (Question 63 - Question 68) Case Study 5 - Northwind traders (Question 69 - Question 77) Case Study 6 - Fourth Coffee (Question 180 - Question 187) Case Study 7 - Trey Research (Question 188 - Question 195) Case Study 8 - Woodgrove Bank (Question 196 - Question 203) QUESTION 1 You need to recommend a solution that allows partners to authenticate. Which solution should you recommend? A. Configure the federation provider to trust social identity providers. B. Configure the federation provider to use the Azure Access Control service. C. Create a new directory in Azure Active Directory and create a user account for the partner. D. Create an account on the VanArsdel domain for the partner and send an email message that contains the password to the partner. Answer: B Explanation: * Scenario: The partners all use Hotmail.com email addresses. * In Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS), an identity provider is a service that authenticates user or client identities and issues security tokens that ACS consumes. The ACS Management Portal provides built-in support for configuring Windows Live ID as an ACS Identity Provider. Incorrect: Not C, not D: Scenario: VanArsdel management does NOT want to create and manage user accounts for partners.
    [Show full text]
  • Identity Authentication Service SAP Cloud Platform
    Identity Authentication Service SAP Cloud Platform Marko Sommer, SAP July 26th, 2017 PUBLIC Legal disclaimer The information in this presentation is confidential and proprietary to SAP and may not be disclosed without the permission of SAP. This presentation is not subject to your license agreement or any other service or subscription agreement with SAP. SAP has no obligation to pursue any course of business outlined in this document or any related presentation, or to develop or release any functionality mentioned therein. This document, or any related presentation and SAP's strategy and possible future developments, products and or platforms directions and functionality are all subject to change and may be changed by SAP at any time for any reason without notice. The information in this document is not a commitment, promise or legal obligation to deliver any material, code or functionality. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document is for informational purposes and may not be incorporated into a contract. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP´s willful misconduct or gross negligence. All forward-looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of their dates, and they should not be relied upon in making purchasing decisions.
    [Show full text]
  • Cloud Access Manager Security and Best Practices Guide Updated - November 2018 Version - 8.1.4 Contents
    Cloud Access Manager 8.1.4 Security and Best Practices Guide Copyright 2018 One Identity LLC. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of One Identity LLC . The information in this document is provided in connection with One Identity products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of One Identity LLC products. EXCEPT AS SET FORTH IN THE TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, ONE IDENTITY ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON- INFRINGEMENT. IN NO EVENT SHALL ONE IDENTITY BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. One Identity makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice.
    [Show full text]
  • Federated Identity Management and Web Services Security with IBM Tivoli Security Solutions
    Front cover Federated Identity Management and Web Services Security with IBM Tivoli Security Solutions Introduction to Web services security standards Complete product architecture and component discussion Extensive federation business scenario Axel Buecker Werner Filip Heather Hinton Heinz Peter Hippenstiel Mark Hollin Ray Neucom Shane Weeden Johan Westman ibm.com/redbooks International Technical Support Organization Federated Identity Management and Web Services Security with IBM Tivoli Security Solutions October 2005 SG24-6394-01 Note: Before using this information and the product it supports, read the information in “Notices” on page xiii. Second Edition (October 2005) This edition applies to Version 6 of Tivoli Federated Identity Manager (product number 5724-L73) and to all subsequent releases and modifications until otherwise indicated in new editions. Various other related IBM and Tivoli products are mentioned in this book. © Copyright International Business Machines Corporation 2004, 2005. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . xiii Trademarks . xiv Preface . xv The team that wrote this redbook. xvi Become a published author . xviii Comments welcome. xix Part 1. Architecture and design . 1 Chapter 1. Business context for identity federation . 3 1.1 Federated identity . 4 1.2 Business environment . 5 1.2.1 Deconstruction of the enterprise . 5 1.2.2 Enterprise re-aggregation . 6 1.2.3 High-level example of a re-aggregated business . 7 1.2.4 Business models for federated identity . 9 1.2.5 The relationship - Trust and assurance. 15 1.3 IT environment . 17 1.3.1 The role of identity management.
    [Show full text]
  • Security As a Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security Landscape
    Security As A Service Leveraged by Apache Projects Oliver Wulff, Talend Application Security Landscape 11/19/14 2 Solution Building blocks ● Apache CXF Fediz ● Single Sign On (WS-Federation) ● Attribute Based Access Control (SAML AttributeStatement) ● Identity Provider and Application Server Plugin ● Apache Syncope ● IAM (User management, Attribute Management, Provisioning) ● Connector LDAP ● Apache DS ● LDAP Server ● PostgreSQL ● Database for Syncope and Fediz IDP 11/19/14 3 Solution Building blocks Demo Federation/SSO with Apache Tomcat Application 11/19/14 4 Solution Building blocks Apache CXF Fediz 11/19/14 5 Apache CXF Fediz ● Sub-project of Apache CXF project ● Work started mid of 2011 ● Community growing ● First release in June 2012 ● Current release 1.1.2 ● Finishing work for 1.2 11/19/14 6 OASIS WS-Federation 1.2 ● OASIS Standard 2009 ● Security Token agnostic (SAML 1.1/2.0, …) ● Extends OASIS WS-Trust ● Browser and Web Services SSO ● PRP adapts Browsers to WS-Trust ● No connectivity between Application and IDP required (Cloud) ● Claims/Attribute Based Access Control ● Supports several Authentication domains 11/19/14 7 ) Security Tokens STS ) ( issued by STS (IDP Fediz IDP Identity Provider Security Token Service Fediz STS 8 ) -Federation (RP WS -Trust WS Web Application n WS-Federation o i n Fediz Plugin t Relying Party e a k c i o t T n e h t u A Servlet Container Access Web Application Redirect to IDP HTTPS Browser User Machine 11/19/14 Fediz Plugin ● WS-Federation 1.0/1.1/1.2 ● SAML 1.1 / 2.0 Tokens ● SAML-P support ● IDP
    [Show full text]
  • IBM Presentations
    1 2 3 Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record 5 White boxes show the access points for different kinds of security. That’s what we will talk about: Security points for an Enterprise Server. What are the Security scenarios: Inbound: protecting transactions, commands & Data Outbound: messages will need to carry some form of an authentication mechanism The OTMA Resume TPIPE Security exit routine (DFSYRTUX) is one of two possible methods that you can use to secure messages queued on the OTMA asynchronous hold queue. The other possible method of securing messages on the asynchronous hold queue is to use an external security product, such as RACF. The DFSYRTUX exit routine and an external security product can each by used by itself or in combination with each other. The DFSYRTUX exit routine runs in the IMS control region. You can set a default RACF user ID for IMS Connect to use when the input message either does not contain a userid in the header or the field is blank. When the default RACF userid is used, IMS Connect passes it in the OMSECUID field of the input message to OTMA. When OTMA security checking is enabled, OTMA uses the RACF userid for authorizing commands, transactions, and RESUME TPIPE calls with RACF. When both a default RACF userid is defined and the incoming message header userid field is not blank, IMS Connect uses the userid value in the message header. A lot of people also use IMS Connect Extensions. Connect extensions also implements these security exit routines.
    [Show full text]