security patterns with wso2 esb
DESCRIPTION
TRANSCRIPT
May. 2014
Senior So(ware Engineer Isuru Udana
Security Pa1erns with WSO2 ESB
Jeewantha Dharmaparakrama So(ware Engineer
About the Presenters ๏ Jeewantha Dharmaparakrama
So?ware Engineer WSO2 [email protected]
๏ Isuru Udana Senior So?ware Engineer WSO2 [email protected]
About WSO2 ๏ Global enterprise, founded in 2005 by
acknowledged leaders in XML, web services technologies, standards and open source
๏ Provides only open source plaKorm-‐as-‐a-‐service for private, public and hybrid cloud deployments
๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0.
๏ Is an AcSve Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID FoundaSon and W3C.
๏ Driven by InnovaSon
๏ Launched first open source API Management soluSon in 2012
๏ Launched App Factory in 2Q 2013
๏ Launched Enterprise Store and first open source Mobile soluSon in 4Q 2013
What WSO2 delivers
Outline • Security with WSO2 ESB
• WS-‐Security
• Transport Level Security
• OAuth and EnStlement
• Some of the commonly used Security Pa1erns in SOA
• AuthenScaSon pa1erns
• AuthorizaSon pa1erns
• Data ConfidenSality
• Data integrity and non repudiaSon
• QnA
Security Requirements
• AuthenScaSon
• AuthorizaSon
• ConfidenSality
• Integrity
• Non repudiaSon
• Availability
WSO2 ESB
• A lightweight, high performance ESB
• Feature rich and standards compliant
• SOAP and WS-‐* standards
• REST support
• Domain specific protocol support (eg: FIX, HL7)
• User friendly and highly extensible
• 100% free and open source with commercial support
Security with WSO2 ESB
• WS-‐Security
• Transport Level Security
• OAuth and EnStlement
WS-Security with WSO2 ESB
• WS Security is an extension to SOAP to apply security to Web
services
• Provides Message level security
• Apache Rampart handles WS-‐Security at ESB
• Policy (WS-‐SecurityPolicy) driven
WS-Security with WSO2 ESB...
Unsecured Services
WS-Security with WSO2 ESB...
Exposing Unsecured Services as Secured
WS-Security with WSO2 ESB...
WS-Security with WSO2 ESB...
Exposing Secured Services as Unsecured
WS-Security with WSO2 ESB...
Security Transition
Transport Level Security
HTTPS Transport
• High performance PassThrough Transport
Supports,
• SSL
• Mutual SSL
• SSL Profiles (Inbound and Outbound)
• VerificaSon of cerSficate revocaSon (OCSP/CRL)
• SSL Tunneling
HTTPS Transport
Mutual SSL
• Client and the server authenScaSng each other
• Similar to SSL but with the addiSon of client authenScaSon
• Server request the client to provide a cerSficate
• Typically used when extra level of security is needed.
• Extra cost involved
Demo 1: Mutual SSL
SSL Outbound Profiles
• Allows to specify different SSL profiles for different backend servers • Each profile has a separate KeyStore and a TrustStore • Allows to connect to different target servers using different cerSficates and
idenSSes
SSL Inbound Profiles
• Allows to specify different SSL profiles for different IPs of Server
• Each profile has a separate KeyStore and a TrustStore
Verification of Certificate Revocation
-‐ A cerSficate has an expiry Sme.
-‐ What if a cerSficate get revoked before the expiraSon Sme ?
-‐ There should be a way to make those cerSficates untrustworthy.
• CerSficate RevocaSon List (CRL)
• Online CerSficate Status Protocol (OCSP)
CRL
• CerSficate RevocaSon List (CRL) is a list of cerSficates that have
been revoked by it’s issuer (CA)
• EnSSes presenSng those (revoked) cerSficates should no longer be
trusted
• A CRL is generated and published periodically
OCSP
• Online CerSficate Status Protocol offers an alternaSve to a cerSficate revocaSon list (CRL)
• Real-‐Sme revocaSon status during the cerSficate verificaSon process
SSL Tunneling
• If a proxy service connects to a back-‐end server through a proxy server, we can enable SSL Tunneling through the proxy server
• SSL Tunneling prevents any intermediary proxy servers from interfering with the
communicaSon
OAuth mediator
• Used for constrained access delegaSon.
• The client has to get an OAuth access token from the AuthorizaSon
server
• When a client sends a request with an OAuth token, OAuth
mediator will get the access token validated from the AuthorizaSon
server. Example configuraSon: <oauthService xmlns="h1p://ws.apache.org/ns/synapse" remoteServiceUrl="h1ps://localhost:9443/service" username="foo" password="bar" />
Entitlement mediator
• Intercepts requests and evaluates the acSons performed by the
user against an
eXtensible Access Control Markup Language (XACML) policy.
• WSO2 IdenSty Server can be used as the XACML Policy Decision
Point (PDP) where the policy is set.
• WSO2 ESB serves as the XACML Policy Enforcement Point (PEP)
where the policy is enforced.
Some common security patterns with WSO2 ESB
AuthenScaSon
• Direct authenScaSon
• Brokered authenScaSon.
• Protocol transiSon
• Trusted subsystem
Direct Authentication
Brokered Authentication
• Security Token Service -‐ SAML AsserSons
• Kerberos
h1p://wso2.com/library/arScles/2012/07/kerberos-‐authenScaSon-‐using-‐wso2-‐products/
Protocol Transition
Trusted Subsystem
Some common security patterns with WSO2 ESB Contd..
AuthorizaSon
• Role based access control
• Claim based authorizaSon
• Constrained access delegaSon
Role based Access Control
Claim based Authorization
AuthorizaSon based on Claims carried in SAML token using EnStlement Mediator h1ps://docs.wso2.org/display/ESB481/EnStlement+Mediator
Constrained Access Delegation
Using OAuth Mediator https://docs.wso2.org/display/ESB481/OAuth+Mediator
Constrained Access Delegation Contd.
1. Client gets registered with the AuthorizaSon server (WSO2 IS)
2. AuthorizaSon server generates client ID and client secrete for the
registered client.
Constrained Access Delegation
3. Client requests AuthorizaSon server for the OAuth access token for the resource providing the clientID and secret curl -‐u <Client_id>:<Client_secret> -‐k -‐d "grant_type=<strong>password</strong>&username=admin&password=admin" -‐H "Content-‐Type:applicaSon/x-‐www-‐form-‐urlencoded" h1ps://localhost:9444/oauth2endpoints/token
4. AuthorizaSon server will provide the access token to the client {"token_type":"bearer","expires_in":810, "refresh_token":"8dd86285b6ccde955ce4ab65f41871cb", "access_token":"4eb7939a6db20a0eddcd44e59badcb6"}s
5. Client will send the access token in an AuthorizaSon HTTP header to the resource server via WSO2 ESB.
curl -‐H "AuthorizaSon:Bearer 4eb7939a6db20a0eddcd44e59badcb6" -‐v h1p://localhost:8282/stockquote/view/IBM
6. OAuth mediator in WSO2 ESB does the access token verificaSon with the AuthorizaSon server (WSO2 IS)
Some common security patterns with WSO2 ESB Contd..
ConfidenSality
Data encrypSon with WS-‐Security
Non RepudiaSon + Integrity
Data signing with WS-‐Security
Demo 2: WS-Sec Sign and Encryption
QnA
Business Model
Contact us !