SOA, Interoperability

and Security

All roads lead to web services

security

Nataraj Nagaratnam, Ph.D.,

IBM Distinguished Engineer

Chief Architect, Identity and SOA Security, Tivoli, Software Group, IBM

natarajn@us.ibm.com

Agenda

• Service Oriented Architecture and Interoperability

– Role of Web Services

• SOA Security Considerations

• Web Services Security

– Standards Roadmap

– Message security

– Policy

– Trust, Authorization

10/23/2007 Template Documentation 3

SOA and Interoperability

What is SOA?… a service?

A repeatable business task –

e.g., check customer credit;

open new account

… service oriented architecture (SOA)?

An IT architectural style that supports

integrating your business as linked

services

10/23/2007 Template Documentation 5

What is the SOA model? Business Componentization

Re-defining today’s monolithic enterprise

processes as a set of standardized

modular business process components

Business Componentization

Re-defining today’s monolithic enterprise

processes as a set of standardized

modular business process components

Service Oriented Architecture

An IT model which mirrors the interaction

of business components through a set of

IT applications implemented as real-time

services that interact dynamically

Service Oriented Architecture

An IT model which mirrors the interaction

of business components through a set of

IT applications implemented as real-time

services that interact dynamically

Business

components

SOA application

components *

Web Services

A set of vendor neutral and platform

agnostic standards that can be used to

define how SOA components interact

Web Services

A set of vendor neutral and platform

agnostic standards that can be used to

define how SOA components interact

WS Protocols (XML, SOAP, WSDL, UDDI) provide an interface toolkit for components

Business components

SOA components

Components interfaces

Web Services protocols* Each SOA application component may be made up of multiple applications

Business

Processes

Quality of

Service

Description

Messaging

Business Process Execution LanguageFor Web Services (BPEL4WS)

SecurityReliability ManagementTransactions

Web Services Description Language (WSDL)

Simple Object Access Protocol (SOAP)

Extensible Markup Language (XML)

Other Protocols Other Services

Web Services – a Simple View

WS-* Architectural Principles• Message orientation

– Using only messages to communicate between services

• Protocol composability– Use protocol building blocks in nearly any combination.

• Autonomous services – Independent endpoints

• Managed transparency– Controlling what is externally visible

• Protocol-based integration – Coupling via wire artifacts only.

SOA – Security considerations

10/23/2007 Template Documentation 9

Security Considerations for SOA• Entities/Identities – users, services

�Services have identities

� Identities and/or credentials are propagated across services

�Users and services are now subject to the same security controls

• Organizational/enterprise boundaries

�Perimeter is obscure

� Identities are managed across boundaries

�Trust relationships are established across boundaries

• Composite applications

�Ensuring proper security controls are enacted for each service and when used in combination

• Greater focus on data/information

�Protecting data at transit and at rest

�Apply consistent protection measures

�Access to data by applications and services

• Governance, Risk, and Compliance

�Auditing ie. entity identification to specific transactions

10/23/2007 Template Documentation 10

SOA Security – Reference Model

Business Security Services

Identity &

Access

Data Protection, Privacy

& Disclosure Control

Secure Systems

& Networks

Compliance &

Reporting

Trust

Management

Sec

uri

ty P

oli

cy I

nfr

astr

uc

ture

Authentication

Services

IT Security Services

Authorization

Services

Audit

Services

Identity Services

Integrity

Services

Non-repudiation

Services

Confidentiality

Services

Security Enablers

Go

ve

rna

nce

an

d R

isk M

an

ag

em

en

t

Po

lic

y

Ma

na

ge

me

nt

Web Services Security

Interoperable security enablers and services

• Message security

–Integrity, Confidentiality, Identity propagation

• Policy constraints, requirements

–Constraints, Authorization, privacy, ..

• Security services

–Standardized virtualized security services

Standards Summary: Web Services Security

Message SecurityMessage Security

SecuritySecurityPolicyPolicy

SecureSecureConversationConversation

TrustTrust

FederationFederation

PrivacyPrivacy

AuthorizationAuthorization

SOAP MessagingSOAP Messaging

Message protection

10/23/2007 Template Documentation 15

Message Processing Requires New Layers of Security

WS-Security

SenderSender ReceiverReceiverIntermediaryIntermediary IntermediaryIntermediary

……

WS-Security• Defines a framework for building security protocols

– Integrity

– Confidentiality

– Propagation of security tokens

• Framework designed for end-to-end security of SOAP messages

– From initial sender, through 0-n intermediaries to ultimate receiver

• Leverages existing XML security specs

– XMLDSIG for integrity

– XMLENC for confidentiality

• Provides constructs for transmitting security tokens

– Supports XML and binary tokens

WS-Security

• WS-Security does provide:

– Message level security

– “Improved SSL”

– Security at lower/network

layer

– Transmission security

– Message authentication

– Message confidentiality

– Message integrity

• WS-Security does NOT provide:

– Application level security

– Enterprise security

– Authentication mechanisms

– Authorization security

– Intrusion detection

– Identity management

– Security Architecture

– Network Security

– Anti-Virus protection

What are Security Tokens?• Examples include

– Username token

– X509 Certificate

– Kerberos ticket

– REL license

– SAML assertion

• Represent claims about

– Identity

– Capabilities

– Privileges

• Message claims to be from Alice

– Specified using Alice's X509

certificate

• Proof is based on Alice's private key

– Signing part of the message

with her private key proves that she knows the key and

is therefore Alice

– Specifically, that the signed

parts are from Alice

Web Services message transmission

Soap Header

Message Header and Routing

Security Content

Signature

Actual signed content

Message Body

Soap EnvelopeSoap Envelope

Security Token

WS Security• Terminology:

– Claim - A claim is a statement that a client makes (e.g. name, identity, key, group, privilege, capability, etc).

– Security Token - A security token represents a collection of claims.

– Signed Security Token - A signed security token is a security token that is asserted and cryptographically endorsed by a specificauthority (e.g. an X.509 certificate or a Kerberos ticket).

– Proof-of-Possession - The proof-of-possession information is data that is used in a proof process to demonstrate the sender's knowledge ofinformation that SHOULD only be known to the claiming sender of a security token.

– Integrity - Integrity is the process by which it is guaranteed that information is not modified in transit.

– Confidentiality - Confidentiality is the process by which data is protected such that only authorized actors or security token owners can view the data

– Digest - A digest is a cryptographic checksum of an octet stream.

– Signature - A signature is a cryptographic binding of a proof-of-possession and a digest. This covers both symmetric key-based and public key-based signatures. Consequently, non-repudiation is not always achieved.

– Attachment - An attachment is a generic term referring to additional data that travels with a SOAP message, but is not part of the SOAP Envelope.

WS Security Capabilities Summary

• Message Security Model

– Security Tokens MAY be bound to messages

• Message Protection

– Message Integrity – attained by using XML Signatures with Security Tokens

– Message Confidentiality – attained by using XML Encryption with Security Tokens

• WS Security Standard allows:

– Encryption/Signing of:• Body

• Body Elements

• Header

• Attachments

WS Security Message Example

(001) <?xml version="1.0" encoding="utf-8"?>(002) <S:Envelope xmlns:S="http://www.w3.org/2001/12/soap-envelope"

xmlns:ds="http://www.w3.org/2000/09/xmldsig#">(003) <S:Header>(004) <m:path xmlns:m="http://schemas.xmlsoap.org/rp/">(005) <m:action>http://fabrikam123.com/getQuote</m:action>(006) <m:to>http://fabrikam123.com/stocks</m:to>(007) <m:id>uuid:84b9f5d0-33fb-4a81-b02b-5b760641c1d6</m:id>(008) </m:path>

First two lines start SOAP message

Lines 004 to 008 define how to route this message

Message example with a username security token (1 of 3):

WS Security Message Example

(009) <wsse:Securityxmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">

(010) wsse:UsernameToken Id="MyID">(011) <wsse:Username>Zoe</wsse:Username>(012) </wsse:UsernameToken>(013) <ds:Signature>(014) <ds:SignedInfo>(015) <ds:CanonicalizationMethod

Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

(016) <ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>

(017) <ds:Reference URI="#MsgBody">(018) <ds:DigestMethod

Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

(019) <ds:DigestValue>LyLsF0Pi4wPU...</ds:DigestValue>(020) </ds:Reference>

Line 009: Start of Security header

Lines 010 to 012 specify the security token

Message example with a username security token (2 of 3):

Lines 013 to 028 specify a digitalsignature – this example uses a signature based on the security token, this is NOT a recommended signature scheme

WS Security Message Example

(021) </ds:SignedInfo>(022) <ds:SignatureValue>DJbchm5gK...</ds:SignatureValue>(023) <ds:KeyInfo>(024) <wsse:SecurityTokenReference>(025) <wsse:Reference URI="#MyID"/>(026) </wsse:SecurityTokenReference>(027) </ds:KeyInfo>(028) </ds:Signature>(029) </wsse:Security>(030) </S:Header>(031) <S:Body Id="MsgBody">(032) <tru:StockSymbol xmlns:tru="http://fabrikam123.com/payloads">

QQQ</tru:StockSymbol>

(033) </S:Body>(034) </S:Envelope>

Lines 031 to 033 contain the body of the SOAP message

Message example with a username security token (3 of 3):

Interoperable secure messages

across SOA environment

WS-Security based messages:

Tokens, Signature, Encrypted elements

IBM

WebSphere

IBM WebSphere

DataPower

Trust model: trust, authentication

and identity propagation

WS-Trust• Defines how to broker trust relationships

– Some trust relationship has to exist a priori

• Defines how to exchange security tokens

• Defined as an interface specification for a Security

Token Service

• Anyone can issue tokens (be a Security Token

Service)

Getting Tokens• A RequestSecurityToken message is sent to the trust

service

• It responds with a RequestSecurityTokenResponse

– Contains required security token and associated details (e.g. proof)

• Example

– I want to have secure communication with you

– I ask the trust service for a token to allow me to talk to you

– The trust service sends two copies of a secret key

• One encrypted for me (proof token)

• One encrypted for you (requested token)

Example

11111111U/P

T1

P1

TrustTrustTrustTrustTrustTrustTrustTrust

22222222 T2

P2

T1

33333333

T2

Trust

Trust

Trust

Trust

Trust

Trust

Trust

Trust

T#

P#

Security TokenSecurity Token

Proof tokenProof token

Identity mediation using WS-TrustTivoli Federated Identity Manager

ESB

Firewall

Firewall

Tivoli Federated Identity Manager

DataPower

Challenge mechanism

Request TokenRequest Token

Issue ChallengeIssue Challenge

Respond to ChallengeRespond to Challenge

Issue TokenIssue Token

Other Token Characteristics• Requester can specify various required

characteristics of the security token

– Key type, size

– Delegation constraints

– …

• Trust service can then indicate those characteristics in the response

– May indicate anything it thinks important

Persisted Context

SCT

Farm Context

SCT

WS-SecureConversation• WS-Security provides for single message security

• Nodes will often want to exchange more than one

message

– Specifying new symmetric keys for each message is tedious, verbose, and inefficient

• WS-SecureConversation defines mechanisms to

address this

WS-SecureConversation• Participants establish a shared context

– Context contains keys/secrets and other

information

– Can be stateless (state embedded in security

context token)

• Context established multiple ways

– Using token exchange

– Having one party create the context

– Through negotiation

Policy

Policy Framework

PolicyPolicy

PolicyPolicyAttachmentAttachment

PolicyPolicyAssertionsAssertions

WSDLWSDL

WS-Policy• Framework for expressing Web service

capabilities and requirements

–Security

–Transactions

–Reliable messaging

–Transports

–...

WS-Policy Model• Policy: collection of alternatives; pick one

• Alternative: collection of assertions; do all

• Assertion: domain-specific behavior

–Strongly typed

–Arbitrary parameters to behavior

WS-Policy Expressions• May represent a policy in a compact form

–Nest operators

• All distributes over ExactlyOne

–Assertion/@wsp:Optional=‘true’

• An alternative with and an alternative without

• Simplification of prior @wsp:Usage=‘xs:QName’

–Policy reference to reuse common expression

• Included as is where referenced

WS-Policy Intersections

• Do two Web service endpoints have compatible policy?

–At design time to “wire together” compatible

services

–At runtime to select compatible options

• Two alternatives are compatible if they at least have the same assertion types

WS-Policy Runtime Intersections

WS-PolicyAttachment• Associate policy with WSDL constructs

– Interface-wide policy, e.g.,

• SOAP version

• Transports (and addresses)

• Which token to use when signing messages

• Which version of transactions (if any)

– Message policy, e.g.,

• Which parts of this message to sign

• Whether this message is part of a transaction

WS-SecurityPolicy• A set of policy assertions related to

concepts defined by other WS-Sec* specs

• Allows participants to specify

– Token types

– Whether integrity and/or confidentiality are

required

– Algorithms for the above

– Which message parts need signing/encrypting

WS-SecurityPolicy Example<wsp:Policy><sp:SymmetricBinding><wsp:Policy><sp:ProtectionToken><wsp:Policy><sp:KerberosV5APREQToken

sp:IncludeToken=".../IncludeToken/Once" /></wsp:Policy>

</sp:ProtectionToken><sp:SignBeforeEncrypting /><sp:EncryptSignature />

</wsp:Policy></sp:SymmetricBinding><sp:SignedParts><sp:Body/><sp:Header

Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>

</sp:SignedParts><sp:EncryptedParts><sp:Body/>

</sp:EncryptedParts></wsp:Policy>

Federation

WS-Federation• “Single Sign-On” access across trust

domains using identities from the different domains

• WS-Federation defines a model for this building on the WS-* security specifications:–Model for trust

–Sign out messages

–Attribute service

–Pseudonym service

Federation –Using Tivoli Federated Identity Manager

Web Access /Web SSO

Benefits Service Billing ServicePortal

Service

Web SSO Web SSO Web SSO

WS-Security/WS-Federation/SAML

Partners using

Microsoft®

Partners using

Liberty

Partners using

SAML

Third-party User

Partner

Third Party

Third-Party Access

Tivoli FederatedIdentity Manager

User

Federated Access

Direct Access

WS-Federation/SAML

Authorization

Authorization (WS-Trust profile)

• Authorization service that renders authorization decision and can return entitlements

• Authorization attributes could be part of token issue

• Built on WS-Trust

• Now published as part of WS-Federation spec

Secure, Reliable, Transacted Web Services

Service Composition

ComposableService

Assurances

Description

Messaging

Transports

BPEL4WS

Security

XSD, WSDL, UDDI, Policy, MetadataExchange

XML, SOAP, Addressing

HTTP, HTTPS, SMTP

ReliableMessaging

Transactions

From joint IBM/MSFT WS Whitepaper at From joint IBM/MSFT WS Whitepaper at

http://msdn.microsoft.com/webservices/default.aspx?pull=/libraryhttp://msdn.microsoft.com/webservices/default.aspx?pull=/library/en/en--us/dnwebsrv/html/wsoverview.aspus/dnwebsrv/html/wsoverview.asp

Importance of Composition• Everything works in combination

– Ex: Transaction context works over a reliable connection

– Ex: Participants use WS-Security to secure transactions (for

all types participants)

• Not "reinventing the wheel" for every stack

– Code reuse, lower costs, faster time to market

– Ex: all resources named using WS-Addressing

• The overall system is more stable

– Changes don't percolate up the stack

– Ex: By using WS-Security, Federation supports all tokens,

including future ones

Composable Headers

Addressing

<S:Envelope … ><S:Header>

<wsa:ReplyTo><wsa:Address>http://business456.com/User12</wsa:Address>

</wsa:ReplyTo><wsa:To>http://fabrikam123.com/Traffic</wsa:To><wsa:Action>http://fabrikam123.com/Traffic/Status</wsa:Action>

<wssec:Security> <wssec:BinarySecurityToken

ValueType="wssec:X509v3" EncodingType=“wssec:Base64Binary">

dWJzY3JpYmVyLVBlc…..eFw0wMTEwMTAwMD</wssec:BinarySecurityToken>

</wssec:Security><wsrm:Sequence>

<wsu:Identifier>http://fabrikam123.com/seq1234</wsu:Identifier><wsrm:MessageNumber>10</wsrm:MessageNumber>

</wsrm:Sequence></S:Header><S:Body>

<app:TrafficStatusxmlns:app="http://highwaymon.org/payloads">

<road>520W</road><speed>3MPH</speed></app:TrafficStatus>

</S:Body></S:Envelope>

Security

Reliability

IBM Product Support• WebSphere Application Server 5.0

– Supported WS-Security input spec as a technology preview

– WAS 5.02 Supported the first WSS TC committee draft as a

partial implementation

• WebSphere Application Server 5.1

– Increased support for the first WSS TC committee draft

• WebSphere Application Server 6.0

– Supports full OASIS WSS TC Standard v1.1

• Tivoli Federated Identity Manager

– WS-Security support

– WS-Trust support

– WS-Federation support

Standards Summary: Web Services Security

Message SecurityMessage Security

SecuritySecurityPolicyPolicy

SecureSecureConversationConversation

TrustTrust

FederationFederation

PrivacyPrivacy

AuthorizationAuthorization

SOAP MessagingSOAP Messaging

References (1 of 4)

• OASIS WSS TC Homepage– http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

• Web Services Security: SOAP Message Security– http://www.oasis-open.org/committees/download.php/5941/oasis-

200401-wss-soap-message-security-1.0.pdf

• Web Services Security: Username Token Profile– http://www.oasis-open.org/committees/download.php/5942/oasis-

200401-wss-username-token-profile-1.0.pdf

• Web Services Security: X.509 Certificate Token Profile– http://www.oasis-open.org/committees/download.php/5943/oasis-

200401-wss-x509-token-profile-1.0.pdf

• Schema Files– http://www.oasis-open.org/committees/download.php/5076/oasis-

200401-wss-wssecurity-secext-1.0.xsd.xsd

– http://www.oasis-open.org/committees/download.php/5075/oasis-200401-wss-wssecurity-utility-1.0.xsd.xsd

References (2 of 4)

• OASIS WSS TC Call for participation & Original Charter– http://lists.oasis-open.org/archives/wss/200207/msg00000.html

• OASIS WSS TC Revised Charter – after first TC meeting– http://lists.oasis-open.org/archives/members/200209/msg00007.html

• OASIS Announcement of public review phase for WS-Security– http://lists.oasis-open.org/archives/members/200309/msg00011.html

• OASIS Announcement of WSS voting as a 1.0 standard– http://lists.oasis-open.org/archives/members/200403/msg00014.html

• Original DeveloperWorks posting of WS-Security,Roadmap & Addendum– http://www-106.ibm.com/developerworks/webservices/library/ws-

secure/– http://www-106.ibm.com/developerworks/webservices/library/ws-

secmap/

– http://www-106.ibm.com/developerworks/library/ws-secureadd.html

• WS-Security License from IBM– http://www.ibm.com/ibm/licensing/977Q/2112.shtml

• WS-Security License from Microsoft– http://msdn.microsoft.com/webservices/wss_license.aspx

References (3 of 4)• OASIS WSS TC Disposition of public review/comments

– http://lists.oasis-open.org/archives/wss/200401/msg00157.html

– http://lists.oasis-open.org/archives/wss/200311/msg00044.html

• OASIS WSS TC Notes sent to OASIS at submission time– http://lists.oasis-open.org/archives/wss/200402/msg00040.html– http://www.oasis-

open.org/apps/org/workgroup/wss/download.php/5334/submission-notes.pdf

• Statements of implementation– http://lists.oasis-open.org/archives/wss/200402/msg00022.html

– http://lists.oasis-open.org/archives/wss/200402/msg00027.html

– http://lists.oasis-open.org/archives/wss/200402/msg00023.html – http://lists.oasis-open.org/archives/wss/200402/msg00029.html

– http://lists.oasis-open.org/archives/wss/200402/msg00024.html – http://lists.oasis-open.org/archives/wss/200402/msg00026.html

– http://lists.oasis-open.org/archives/wss/200402/msg00025.html

– http://lists.oasis-open.org/archives/wss/200402/msg00028.html

References (4 of 4)

• OASIS WSS TC Public review comments archive

– http://lists.oasis-open.org/archives/wss-comment/

• OASIS WSS TC Latest “issues list” as of 3/23/2004

– http://www.oasis-open.org/committees/download.php/6047/wss-issues-36.htm