Your SlideShare is downloading. ×
0
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Securing Web Services with CAS Proxy Tickets
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing Web Services with CAS Proxy Tickets

254

Published on

A solution implemented at Simon Fraser University to use CAS proxy tickets to provide authorization to web services from thick client web applications.

A solution implemented at Simon Fraser University to use CAS proxy tickets to provide authorization to web services from thick client web applications.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
254
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Securing Web Services Solving the Web Services Security Problem with an XML Gateway June 2010
  • 2. About Us IT Services - Jeremy Rosenberg / Steve Hillman
  • 3. • Jeremy Rosenberg Developer in IT services since 2004 Identity management strategy Java Developer About Us IT Services - Jeremy Rosenberg / Steve Hillman
  • 4. • Jeremy Rosenberg Developer in IT services since 2004 Identity management strategy Java Developer • Steve Hillman IT Architect With IT Services since 1987 Unix infrastructure About Us IT Services - Jeremy Rosenberg / Steve Hillman
  • 5. About SFU IT Services - Jeremy Rosenberg / Steve Hillman
  • 6. • Named after famous explorer Simon Fraser 1776 -1862 About SFU IT Services - Jeremy Rosenberg / Steve Hillman
  • 7. • Named after famous explorer • Opened on September 9, 1965 Simon Fraser 1776 -1862 About SFU IT Services - Jeremy Rosenberg / Steve Hillman
  • 8. • Named after famous explorer • Opened on September 9, 1965 • One University - Three campuses • Burnaby • Surrey • Vancouver Simon Fraser 1776 -1862 About SFU IT Services - Jeremy Rosenberg / Steve Hillman
  • 9. • Named after famous explorer • Opened on September 9, 1965 • One University - Three campuses • Burnaby • Surrey • Vancouver • 32,000 students • 900 faculty • 1600 staff • 100,000 alumni Simon Fraser 1776 -1862 About SFU IT Services - Jeremy Rosenberg / Steve Hillman
  • 10. About This Presentation IT Services - Jeremy Rosenberg / Steve Hillman
  • 11. • Definitions About This Presentation IT Services - Jeremy Rosenberg / Steve Hillman
  • 12. • Definitions • XML Security Challenges About This Presentation IT Services - Jeremy Rosenberg / Steve Hillman
  • 13. • Definitions • XML Security Challenges • About the Layer 7 SecureSpan XML Gateway About This Presentation IT Services - Jeremy Rosenberg / Steve Hillman
  • 14. • Definitions • XML Security Challenges • About the Layer 7 SecureSpan XML Gateway • Why we chose SecureSpan About This Presentation IT Services - Jeremy Rosenberg / Steve Hillman
  • 15. • Definitions • XML Security Challenges • About the Layer 7 SecureSpan XML Gateway • Why we chose SecureSpan • A little about Public Keys About This Presentation IT Services - Jeremy Rosenberg / Steve Hillman
  • 16. • Definitions • XML Security Challenges • About the Layer 7 SecureSpan XML Gateway • Why we chose SecureSpan • A little about Public Keys • Walkthroughs • SOAP • REST About This Presentation IT Services - Jeremy Rosenberg / Steve Hillman
  • 17. • Definitions • XML Security Challenges • About the Layer 7 SecureSpan XML Gateway • Why we chose SecureSpan • A little about Public Keys • Walkthroughs • SOAP • REST • Questions About This Presentation IT Services - Jeremy Rosenberg / Steve Hillman
  • 18. •First, A Few Definitions Definitions IT Services - Jeremy Rosenberg / Steve Hillman
  • 19. Definitions IT Services - Jeremy Rosenberg / Steve Hillman
  • 20. Web Service: Definitions IT Services - Jeremy Rosenberg / Steve Hillman
  • 21. Web Service: • An API to a remote procedure Definitions IT Services - Jeremy Rosenberg / Steve Hillman
  • 22. Web Service: • An API to a remote procedure • Typically accessed over HTTP Definitions IT Services - Jeremy Rosenberg / Steve Hillman
  • 23. Web Service: • An API to a remote procedure • Typically accessed over HTTP • Machine-to-machine communications Definitions IT Services - Jeremy Rosenberg / Steve Hillman
  • 24. Web Service: • An API to a remote procedure • Typically accessed over HTTP • Machine-to-machine communications • Allows data source to be loosely coupled to applications Definitions IT Services - Jeremy Rosenberg / Steve Hillman
  • 25. Web Service: • An API to a remote procedure • Typically accessed over HTTP • Machine-to-machine communications • Allows data source to be loosely coupled to applications • Makes systems reusable Definitions IT Services - Jeremy Rosenberg / Steve Hillman
  • 26. Web Service: • An API to a remote procedure • Typically accessed over HTTP • Machine-to-machine communications • Allows data source to be loosely coupled to applications • Makes systems reusable • Very popular with Twitter, Facebook, Amazon, etc Definitions IT Services - Jeremy Rosenberg / Steve Hillman
  • 27. Definitions - SOAP vs REST IT Services - Jeremy Rosenberg / Steve Hillman
  • 28. •SOAP: Definitions - SOAP vs REST IT Services - Jeremy Rosenberg / Steve Hillman
  • 29. •SOAP: • XML Message passing protocol Definitions - SOAP vs REST IT Services - Jeremy Rosenberg / Steve Hillman
  • 30. •SOAP: • XML Message passing protocol • Numerous ‘WS-’ standards Definitions - SOAP vs REST IT Services - Jeremy Rosenberg / Steve Hillman
  • 31. •SOAP: • XML Message passing protocol • Numerous ‘WS-’ standards • Associated with “Big” Web Services • Most vendor SOA solutions use SOAP Definitions - SOAP vs REST IT Services - Jeremy Rosenberg / Steve Hillman
  • 32. Definitions - SOAP vs REST IT Services - Jeremy Rosenberg / Steve Hillman
  • 33. •REST: • URL-addressable objects Definitions - SOAP vs REST IT Services - Jeremy Rosenberg / Steve Hillman
  • 34. •REST: • URL-addressable objects • “http://maps.google.com/maps/api/geocode/xml? address=Memorial+University,+NL,+CA” Definitions - SOAP vs REST IT Services - Jeremy Rosenberg / Steve Hillman
  • 35. •REST: • URL-addressable objects • “http://maps.google.com/maps/api/geocode/xml? address=Memorial+University,+NL,+CA” • Accessed and manipulated with standard HTTP GET/POST/PUT/DELETE Definitions - SOAP vs REST IT Services - Jeremy Rosenberg / Steve Hillman
  • 36. •REST: • URL-addressable objects • “http://maps.google.com/maps/api/geocode/xml? address=Memorial+University,+NL,+CA” • Accessed and manipulated with standard HTTP GET/POST/PUT/DELETE • Lightweight client requirements Definitions - SOAP vs REST IT Services - Jeremy Rosenberg / Steve Hillman
  • 37. •REST: • URL-addressable objects • “http://maps.google.com/maps/api/geocode/xml? address=Memorial+University,+NL,+CA” • Accessed and manipulated with standard HTTP GET/POST/PUT/DELETE • Lightweight client requirements • Stateless (every request is self-contained) Definitions - SOAP vs REST IT Services - Jeremy Rosenberg / Steve Hillman
  • 38. •REST: • URL-addressable objects • “http://maps.google.com/maps/api/geocode/xml? address=Memorial+University,+NL,+CA” • Accessed and manipulated with standard HTTP GET/POST/PUT/DELETE • Lightweight client requirements • Stateless (every request is self-contained) • WS- standards are less mature Definitions - SOAP vs REST IT Services - Jeremy Rosenberg / Steve Hillman
  • 39. ! •Web Services Security Challenges “Put out an A.P.B. on a donut, believed sprinkled.” IT Services - Jeremy Rosenberg / Steve Hillman
  • 40. Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 41. • Web Services can communicate over many transport protocols Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 42. • Web Services can communicate over many transport protocols • Commonly accessed over web protocols like HTTP Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 43. • Web Services can communicate over many transport protocols • Commonly accessed over web protocols like HTTP • Easy for Web services to bypass traditional firewalls Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 44. • Web Services can communicate over many transport protocols • Commonly accessed over web protocols like HTTP • Easy for Web services to bypass traditional firewalls XML HTTP XML Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 45. Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 46. • XML-based messages can be deliberately or inadvertently malformed Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 47. • • XML-based messages can be deliberately or inadvertently malformed Causes parser or applications to break Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 48. • • • XML-based messages can be deliberately or inadvertently malformed Causes parser or applications to break Creates new XML threats and vulnerabilities. E.g: Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 49. • • • XML-based messages can be deliberately or inadvertently malformed Causes parser or applications to break Creates new XML threats and vulnerabilities. E.g: • XML parameter tampering Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 50. • • • XML-based messages can be deliberately or inadvertently malformed Causes parser or applications to break Creates new XML threats and vulnerabilities. E.g: • XML parameter tampering • XDoS Attacks Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 51. • • • XML-based messages can be deliberately or inadvertently malformed Causes parser or applications to break Creates new XML threats and vulnerabilities. E.g: • XML parameter tampering • XDoS Attacks • Message Replay Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 52. • • • XML-based messages can be deliberately or inadvertently malformed Causes parser or applications to break Creates new XML threats and vulnerabilities. E.g: • XML parameter tampering • XDoS Attacks • Message Replay • Oversized/overdeep XML nodes Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 53. • • • XML-based messages can be deliberately or inadvertently malformed Causes parser or applications to break Creates new XML threats and vulnerabilities. E.g: • XML parameter tampering • XDoS Attacks • Message Replay • Oversized/overdeep XML nodes • Code injection Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 54. Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 55. • Transactions are principally machine-to-machine Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 56. • • Transactions are principally machine-to-machine New thinking around machine-to-machine credentialing Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 57. • • • Transactions are principally machine-to-machine New thinking around machine-to-machine credentialing Login pages won’t work Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 58. Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 59. • Services and clients must agree on security parameters • crypto preferences • standards support Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 60. • Services and clients must agree on security parameters • crypto preferences • standards support • Need for new kinds of policy coordination Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 61. • Services and clients must agree on security parameters • crypto preferences • standards support • Need for new kinds of policy coordination • Incompatibilities have unforeseen consequences Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 62. Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 63. • Web services enable multi-hop composite applications Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 64. • Web services enable multi-hop composite applications • Example: Student on boarding process Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 65. • Web services enable multi-hop composite applications • Example: Student on boarding process • Message level security and audit that can span multihop SOA transactions end-to-end Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 66. Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 67. Web services expose business functionality through open APIs, requiring new application-aware security measures. Web Services Security Challenges IT Services - Jeremy Rosenberg / Steve Hillman
  • 68. SecureSpan XML Gateway IT Services - Jeremy Rosenberg / Steve Hillman
  • 69. • Enter the XML Gateway SecureSpan XML Gateway IT Services - Jeremy Rosenberg / Steve Hillman
  • 70. SecureSpan XML Gateway IT Services - Jeremy Rosenberg / Steve Hillman
  • 71. XML Gateway - What it does IT Services - Jeremy Rosenberg / Steve Hillman
  • 72. • Parses all Inbound and outbound XML messages XML Gateway - What it does IT Services - Jeremy Rosenberg / Steve Hillman
  • 73. • Parses all Inbound and outbound XML messages • Inspection and modification of XML messages XML Gateway - What it does IT Services - Jeremy Rosenberg / Steve Hillman
  • 74. • Parses all Inbound and outbound XML messages • Inspection and modification of XML messages • Replace “Username” value in inbound XML message with value extracted from client certificate • Prevent spoofing XML Gateway - What it does IT Services - Jeremy Rosenberg / Steve Hillman
  • 75. • Parses all Inbound and outbound XML messages • Inspection and modification of XML messages • Replace “Username” value in inbound XML message with value extracted from client certificate • Prevent spoofing • Blank-out Student Number value in outbound XML messages • Prevent accidental leakage of confidential info XML Gateway - What it does IT Services - Jeremy Rosenberg / Steve Hillman
  • 76. XML Gateway IT Services - Jeremy Rosenberg / Steve Hillman
  • 77. • Thwart attacks XML Gateway IT Services - Jeremy Rosenberg / Steve Hillman
  • 78. • Thwart attacks • Prevent malicious and inadvertent XML attacks XML Gateway IT Services - Jeremy Rosenberg / Steve Hillman
  • 79. • Thwart attacks • Prevent malicious and inadvertent XML attacks • Prevent other not-so-obvious application-level attacks - e.g. SQL injection. • Are you sure every one of your developers sanitizes their inputs? XML Gateway IT Services - Jeremy Rosenberg / Steve Hillman
  • 80. Benefits IT Services - Jeremy Rosenberg / Steve Hillman
  • 81. • Single point-of-entry for Web Services means: Benefits IT Services - Jeremy Rosenberg / Steve Hillman
  • 82. • Single point-of-entry for Web Services means: • Do rate-control/throttling/queueing to enforce SLAs Benefits IT Services - Jeremy Rosenberg / Steve Hillman
  • 83. • Single point-of-entry for Web Services means: • Do rate-control/throttling/queueing to enforce SLAs • Standardized logging of all access Benefits IT Services - Jeremy Rosenberg / Steve Hillman
  • 84. • Single point-of-entry for Web Services means: • Do rate-control/throttling/queueing to enforce SLAs • Standardized logging of all access • Auditing Benefits IT Services - Jeremy Rosenberg / Steve Hillman
  • 85. • Single point-of-entry for Web Services means: • Do rate-control/throttling/queueing to enforce SLAs • Standardized logging of all access • Auditing • Centrally enforced policies Benefits IT Services - Jeremy Rosenberg / Steve Hillman
  • 86. • Single point-of-entry for Web Services means: • Do rate-control/throttling/queueing to enforce SLAs • Standardized logging of all access • Auditing • Centrally enforced policies • Reusable rich set of authentication mechanisms Benefits IT Services - Jeremy Rosenberg / Steve Hillman
  • 87. • Single point-of-entry for Web Services means: • Do rate-control/throttling/queueing to enforce SLAs • Standardized logging of all access • Auditing • Centrally enforced policies • Reusable rich set of authentication mechanisms • Managed by the Infrastructure team on behalf of all Web Services development groups Benefits IT Services - Jeremy Rosenberg / Steve Hillman
  • 88. Why We Chose Layer7 IT Services - Jeremy Rosenberg / Steve Hillman
  • 89. • Industry leader in this space Why We Chose Layer7 IT Services - Jeremy Rosenberg / Steve Hillman
  • 90. • Industry leader in this space • Very responsive Why We Chose Layer7 IT Services - Jeremy Rosenberg / Steve Hillman
  • 91. • Industry leader in this space • Very responsive • Available as either hard or soft appliance Why We Chose Layer7 IT Services - Jeremy Rosenberg / Steve Hillman
  • 92. • • • • Industry leader in this space Very responsive Available as either hard or soft appliance Extensible using Java. We have Java experts. Why We Chose Layer7 IT Services - Jeremy Rosenberg / Steve Hillman
  • 93. • • • • • Industry leader in this space Very responsive Available as either hard or soft appliance Extensible using Java. We have Java experts. Supports every standard known to Man Why We Chose Layer7 IT Services - Jeremy Rosenberg / Steve Hillman
  • 94. Standards IT Services - Jeremy Rosenberg / Steve Hillman
  • 95. XML 1.0 SOAP 1.2 REST AJAX XPath 1.0 XSLT 1.0 WSDL 1.1 XML Schema LDAP 3.0 SAML 1.1/2.0 PKCS #10 X.509 v3 Certificates FIPS 140-2 Kerberos W3C XML Signature 1.0 W3C XML Encryption 1.0 SSL/TLS 3.0/1.1 SNMP SMTP POP3 IMAP4 HTTP/HTTPS JMS 1.0 MQ Series Tibco EMS FTP WS-Security 1.1 WS-Trust 1.0 Standards IT Services - Jeremy Rosenberg / Steve Hillman WS-Federation WS-Addressing WSSecureConversation WS-MetadataExchange WS-Policy WS-SecurityPolicy WS-PolicyAttachment WS-SecureExchange WSIL WS-I WS-I BSP UDDI 3.0 XACML 2.0 MTOM
  • 96. The Gateway Changes Everything IT Services - Jeremy Rosenberg / Steve Hillman
  • 97. SOAP Security - Cowboy Style IT Services - Jeremy Rosenberg / Steve Hillman
  • 98. SOAP Security - Cowboy Style IT Services - Jeremy Rosenberg / Steve Hillman
  • 99. SOAP Security - Cowboy Style IT Services - Jeremy Rosenberg / Steve Hillman
  • 100. SOAP Security - Cowboy Style IT Services - Jeremy Rosenberg / Steve Hillman
  • 101. SOAP Security - Cowboy Style IT Services - Jeremy Rosenberg / Steve Hillman
  • 102. SOAP Security - Cowboy Style IT Services - Jeremy Rosenberg / Steve Hillman
  • 103. SOAP Security - Cowboy Style IT Services - Jeremy Rosenberg / Steve Hillman
  • 104. SOAP Security - Cowboy Style IT Services - Jeremy Rosenberg / Steve Hillman
  • 105. About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 106. Definitely Not a Public Key Infrastructure (DNPKI) About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 107. Definitely Not a Public Key Infrastructure (DNPKI) • Named out of frustration with the phrase: • “Cool we have PKI now” About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 108. Definitely Not a Public Key Infrastructure (DNPKI) • Named out of frustration with the phrase: • “Cool we have PKI now” • Needed a way to manage X.509 certificates for: • https client certificate authentication • WS-Security Signature Authentication About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 109. Definitely Not a Public Key Infrastructure (DNPKI) • Named out of frustration with the phrase: • “Cool we have PKI now” • Needed a way to manage X.509 certificates for: • https client certificate authentication • WS-Security Signature Authentication • Store and push RSA public keys into LDAP About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 110. Definitely Not a Public Key Infrastructure (DNPKI) • Named out of frustration with the phrase: • “Cool we have PKI now” • Needed a way to manage X.509 certificates for: • https client certificate authentication • WS-Security Signature Authentication • Store and push RSA public keys into LDAP • Ability to de-provision certificate access About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 111. Definitely Not a Public Key Infrastructure (DNPKI) • Named out of frustration with the phrase: • “Cool we have PKI now” • Needed a way to manage X.509 certificates for: • https client certificate authentication • WS-Security Signature Authentication • Store and push RSA public keys into LDAP • Ability to de-provision certificate access • Leveraged existing IdM architecture About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 112. About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 113. About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 114. About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 115. About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 116. About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 117. About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 118. About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 119. About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 120. About DNPKI IT Services - Jeremy Rosenberg / Steve Hillman
  • 121. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 122. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 123. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 124. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 125. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 126. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 127. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 128. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 129. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 130. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 131. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 132. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 133. SOAP Security - Best Practices IT Services - Jeremy Rosenberg / Steve Hillman
  • 134. Gateway SOAP Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 135. Gateway SOAP Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 136. Gateway SOAP Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 137. Gateway SOAP Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 138. Gateway SOAP Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 139. Gateway SOAP Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 140. Gateway SOAP Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 141. The Zimbra Conundrum IT Services - Jeremy Rosenberg / Steve Hillman
  • 142. The Zimbra Conundrum IT Services - Jeremy Rosenberg / Steve Hillman
  • 143. The Zimbra Conundrum IT Services - Jeremy Rosenberg / Steve Hillman
  • 144. .../courses?user=me The Zimbra Conundrum IT Services - Jeremy Rosenberg / Steve Hillman
  • 145. .../courses?user=me The Zimbra Conundrum IT Services - Jeremy Rosenberg / Steve Hillman
  • 146. .../courses?user=notme The Zimbra Conundrum IT Services - Jeremy Rosenberg / Steve Hillman
  • 147. .../courses?user=notme The Zimbra Conundrum IT Services - Jeremy Rosenberg / Steve Hillman
  • 148. REST Security that Never Rests IT Services - Jeremy Rosenberg / Steve Hillman
  • 149. REST Security that Never Rests IT Services - Jeremy Rosenberg / Steve Hillman
  • 150. REST Security that Never Rests IT Services - Jeremy Rosenberg / Steve Hillman
  • 151. REST Security that Never Rests IT Services - Jeremy Rosenberg / Steve Hillman
  • 152. REST Security that Never Rests IT Services - Jeremy Rosenberg / Steve Hillman
  • 153. REST Security that Never Rests IT Services - Jeremy Rosenberg / Steve Hillman
  • 154. REST Security that Never Rests IT Services - Jeremy Rosenberg / Steve Hillman
  • 155. REST Security that Never Rests IT Services - Jeremy Rosenberg / Steve Hillman
  • 156. REST Security that Never Rests IT Services - Jeremy Rosenberg / Steve Hillman
  • 157. Gateway REST Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 158. Gateway REST Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 159. Gateway REST Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 160. Gateway REST Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 161. Gateway REST Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 162. Gateway REST Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 163. Gateway REST Assertions IT Services - Jeremy Rosenberg / Steve Hillman
  • 164. Lessons Learned IT Services - Jeremy Rosenberg / Steve Hillman
  • 165. • Security is an enabler Lessons Learned IT Services - Jeremy Rosenberg / Steve Hillman
  • 166. • Security is an enabler • Stick to standards where possible Lessons Learned IT Services - Jeremy Rosenberg / Steve Hillman
  • 167. • Security is an enabler • Stick to standards where possible • A good vendor is huge Lessons Learned IT Services - Jeremy Rosenberg / Steve Hillman
  • 168. • Security is an enabler • Stick to standards where possible • A good vendor is huge • Start small • Control the service and consumer Lessons Learned IT Services - Jeremy Rosenberg / Steve Hillman
  • 169. • Security is an enabler • Stick to standards where possible • A good vendor is huge • Start small • Control the service and consumer • Security can be fun! Lessons Learned IT Services - Jeremy Rosenberg / Steve Hillman
  • 170. Thank You ! rosenberg@sfu.ca! hillman@sfu.ca ! THANK YOU IT Services - Jeremy Rosenberg / Steve Hillman

×