2. About the Presenters
๏ Jeewantha
Dharmaparakrama
So?ware
Engineer
WSO2
jeewantha@wso2.com
๏ Isuru
Udana
Senior
So?ware
Engineer
WSO2
isuruu@wso2.com
3. About
WSO2
๏ Global
enterprise,
founded
in
2005
by
acknowledged
leaders
in
XML,
web
services
technologies,
standards
and
open
source
๏ Provides
only
open
source
plaKorm-‐as-‐
a-‐service
for
private,
public
and
hybrid
cloud
deployments
๏ All
WSO2
products
are
100%
open
source
and
released
under
the
Apache
License
Version
2.0.
๏ Is
an
AcSve
Member
of
OASIS,
Cloud
Security
Alliance,
OSGi
Alliance,
AMQP
Working
Group,
OpenID
FoundaSon
and
W3C.
๏ Driven
by
InnovaSon
๏ Launched
first
open
source
API
Management
soluSon
in
2012
๏ Launched
App
Factory
in
2Q
2013
๏ Launched
Enterprise
Store
and
first
open
source
Mobile
soluSon
in
4Q
2013
5. Outline
• Security
with
WSO2
ESB
• WS-‐Security
• Transport
Level
Security
• OAuth
and
EnStlement
• Some
of
the
commonly
used
Security
Pa1erns
in
SOA
• AuthenScaSon
pa1erns
• AuthorizaSon
pa1erns
• Data
ConfidenSality
• Data
integrity
and
non
repudiaSon
• QnA
7. WSO2 ESB
• A
lightweight,
high
performance
ESB
• Feature
rich
and
standards
compliant
• SOAP
and
WS-‐*
standards
• REST
support
• Domain
specific
protocol
support
(eg:
FIX,
HL7)
• User
friendly
and
highly
extensible
• 100%
free
and
open
source
with
commercial
support
8. Security with WSO2 ESB
• WS-‐Security
• Transport
Level
Security
• OAuth
and
EnStlement
9. WS-Security with WSO2 ESB
• WS
Security
is
an
extension
to
SOAP
to
apply
security
to
Web
services
• Provides
Message
level
security
• Apache
Rampart
handles
WS-‐Security
at
ESB
• Policy
(WS-‐SecurityPolicy)
driven
17. Mutual SSL
• Client
and
the
server
authenScaSng
each
other
• Similar
to
SSL
but
with
the
addiSon
of
client
authenScaSon
• Server
request
the
client
to
provide
a
cerSficate
• Typically
used
when
extra
level
of
security
is
needed.
• Extra
cost
involved
19. SSL Outbound Profiles
• Allows
to
specify
different
SSL
profiles
for
different
backend
servers
• Each
profile
has
a
separate
KeyStore
and
a
TrustStore
• Allows
to
connect
to
different
target
servers
using
different
cerSficates
and
idenSSes
20. SSL Inbound Profiles
• Allows
to
specify
different
SSL
profiles
for
different
IPs
of
Server
• Each
profile
has
a
separate
KeyStore
and
a
TrustStore
21. Verification of Certificate Revocation
-‐
A
cerSficate
has
an
expiry
Sme.
-‐
What
if
a
cerSficate
get
revoked
before
the
expiraSon
Sme
?
-‐
There
should
be
a
way
to
make
those
cerSficates
untrustworthy.
• CerSficate
RevocaSon
List
(CRL)
• Online
CerSficate
Status
Protocol
(OCSP)
22. CRL
• CerSficate
RevocaSon
List
(CRL)
is
a
list
of
cerSficates
that
have
been
revoked
by
it’s
issuer
(CA)
• EnSSes
presenSng
those
(revoked)
cerSficates
should
no
longer
be
trusted
• A
CRL
is
generated
and
published
periodically
23. OCSP
• Online
CerSficate
Status
Protocol
offers
an
alternaSve
to
a
cerSficate
revocaSon
list
(CRL)
• Real-‐Sme
revocaSon
status
during
the
cerSficate
verificaSon
process
24. SSL Tunneling
• If
a
proxy
service
connects
to
a
back-‐end
server
through
a
proxy
server,
we
can
enable
SSL
Tunneling
through
the
proxy
server
• SSL
Tunneling
prevents
any
intermediary
proxy
servers
from
interfering
with
the
communicaSon
25. OAuth mediator
• Used
for
constrained
access
delegaSon.
• The
client
has
to
get
an
OAuth
access
token
from
the
AuthorizaSon
server
• When
a
client
sends
a
request
with
an
OAuth
token,
OAuth
mediator
will
get
the
access
token
validated
from
the
AuthorizaSon
server.
Example
configuraSon:
<oauthService
xmlns="h1p://ws.apache.org/ns/synapse"
remoteServiceUrl="
h1ps://localhost:9443/service"
username="foo"
password="bar"
/>
26. Entitlement mediator
• Intercepts
requests
and
evaluates
the
acSons
performed
by
the
user
against
an
eXtensible
Access
Control
Markup
Language
(XACML)
policy.
• WSO2
IdenSty
Server
can
be
used
as
the
XACML
Policy
Decision
Point
(PDP)
where
the
policy
is
set.
• WSO2
ESB
serves
as
the
XACML
Policy
Enforcement
Point
(PEP)
where
the
policy
is
enforced.
27. Some common security patterns
with WSO2 ESB
AuthenScaSon
•
Direct
authenScaSon
•
Brokered
authenScaSon.
• Protocol
transiSon
•
Trusted
subsystem
32. Some common security patterns
with WSO2 ESB Contd..
AuthorizaSon
•
Role
based
access
control
•
Claim
based
authorizaSon
•
Constrained
access
delegaSon
34. Claim based Authorization
AuthorizaSon
based
on
Claims
carried
in
SAML
token
using
EnStlement
Mediator
h1ps://docs.wso2.org/display/ESB481/EnStlement+Mediator
36. Constrained Access Delegation
Contd.
1. Client
gets
registered
with
the
AuthorizaSon
server
(WSO2
IS)
2. AuthorizaSon
server
generates
client
ID
and
client
secrete
for
the
registered
client.
37. Constrained Access Delegation
3.
Client
requests
AuthorizaSon
server
for
the
OAuth
access
token
for
the
resource
providing
the
clientID
and
secret
curl
-‐u
<Client_id>:<Client_secret>
-‐k
-‐d
"grant_type=<strong>password</strong>&username=admin&password=admin"
-‐H
"Content-‐Type:applicaSon/x-‐www-‐form-‐urlencoded"
h1ps://localhost:9444/oauth2endpoints/token
4.
AuthorizaSon
server
will
provide
the
access
token
to
the
client
{"token_type":"bearer","expires_in":810,
"refresh_token":"8dd86285b6ccde955ce4ab65f41871cb",
"access_token":"4eb7939a6db20a0eddcd44e59badcb6"}s
5.
Client
will
send
the
access
token
in
an
AuthorizaSon
HTTP
header
to
the
resource
server
via
WSO2
ESB.
curl
-‐H
"AuthorizaSon:Bearer
4eb7939a6db20a0eddcd44e59badcb6"
-‐v
h1p://localhost:8282/stockquote/view/IBM
6.
OAuth
mediator
in
WSO2
ESB
does
the
access
token
verificaSon
with
the
AuthorizaSon
server
(WSO2
IS)
38. Some common security patterns
with WSO2 ESB Contd..
ConfidenSality
Data
encrypSon
with
WS-‐Security
Non
RepudiaSon
+
Integrity
Data
signing
with
WS-‐Security