SOA Certification Mentoring


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SOA Certification Mentoring

  1. 1. 1 20 March 2008 SOA Certification Mentoring Session 8 SOA Security Session 8: SOA Security
  2. 2. 2 20 March 2008 Session 8 Agenda • Notes • Next steps • Questions about the reading? • SOA Security topics Session 8: SOA Security
  3. 3. 3 20 March 2008 Reminder • Register for a timeslot to take the exam. Session 8: SOA Security
  4. 4. 4 20 March 2008 Assignment for next week – Review • Review the previous presentations and podcasts • Review the exam outlines from the web: – 664: http://www- – 667: http://www- • Gut check – do you feel ready? Session 8: SOA Security
  5. 5. 5 20 March 2008 Questions about the reading? • Read the following sections from the Rebook “Understanding SOA Security”: – Section 1.1.1 – 1.1.3, 1.3; Chapters 2-6 • bstracts/SG247310.html Session 8: SOA Security
  6. 6. 6 20 March 2008 Security Considerations for SOA • The need for identity to be decoupled from services. • The need to manage identity and security across a range of systems and services that are implemented in a diverse mix of new and old technologies Session 8: SOA Security
  7. 7. 7 20 March 2008 Siloed Applications Lead to Siloed Identities ray divb-ray z42 ibm_empl Division “A” Division “B” Division “C” Division “D” Division “E” mgr Session 8: SOA Security
  8. 8. 8 20 March 2008 Service Reuse Leads to Identity Propagation Conflicts Customer ibm_23 ray Division (s) z42 Shared Services divb-ray mgr Supplier ibm_empl Outsourced Session 8: SOA Security
  9. 9. 9 20 March 2008 Security Considerations That Haven’t Changed • The need to protect business data both in transit and at rest. • The need for demonstrable compliance with changing regulatory requirements Session 8: SOA Security
  10. 10. 10 20 March 2008 Key Message • “The overall security principles that apply in any environment, whether SOA or not, are the same: identity, authentication, authorization, confidentiality, integrity, audit and compliance, policy management and availability. What changes in SOA is how they are applied.” -p16 “Understanding SOA Security Design and Implementation” Redbook Session 8: SOA Security
  11. 11. 11 20 March 2008 Web Services Security Standards Session 8: SOA Security
  12. 12. 12 20 March 2008 SOAP Foundation Session 8: SOA Security
  13. 13. 13 20 March 2008 WS-Security • The WS-Security specification provides message-level security. The advantage of using WS-Security instead of Secure Sockets Layer (SSL) is that it can provide end-to- end message level security. This means that the messages are protected even if the message goes through multiple services, or intermediaries. Additionally, WS- Security is independent of the transport layer protocol. It can be used for any SOAP binding, not just for SOAP over HTTP. Session 8: SOA Security
  14. 14. 14 20 March 2008 WS-Security Session 8: SOA Security
  15. 15. 15 20 March 2008 WS-Security Example Session 8: SOA Security
  16. 16. 16 20 March 2008 WS-Policy • WS-Policy provides a flexible and extensible grammar for expressing the capabilities, requirements, and general characteristics of entities in an XML Web services-based system. WS-Policy defines a framework and a model for the expression of these properties as policies. Policy expressions allow for both simple declarative assertions as well as more sophisticated conditional assertions. Session 8: SOA Security
  17. 17. 17 20 March 2008 WS-Trust • The Web Services Trust Language (WS-Trust) uses the secure messaging mechanisms of WS-Security to define additional primitives and extensions for the issuance, exchange, and validation of security tokens. WS-Trust also enables the issuance and dissemination of credentials within different trust domains. Session 8: SOA Security
  18. 18. 18 20 March 2008 WS-SecureConversation • The Web Services Secure Conversation Language (WS-SecureConversation) is built on top of the WS-Security and WS- Policy models to provide secure communication between services. WS- Security focuses on the message authentication model, but not a security context, and thus is subject to several forms of security attacks. This specification defines mechanisms for establishing and sharing security contexts, and deriving keys from security contexts, to enable a secure conversation. Session 8: SOA Security
  19. 19. 19 20 March 2008 WS-Federation • WS-Federation describes how to use the existing Web services security building blocks to provide federation functionality, including trust, single sign-on (and single sign-off), and attribute management across a federation. WS-Federation is really a family of three specifications: WS-Federation, WS-Federation Passive Client, and WS-Federation Active Client. Session 8: SOA Security
  20. 20. 20 20 March 2008 SAML • Security Assertion Markup Language (SAML) is a specification designed to provide cross-vendor single sign-on interoperability. SAML was developed by a consortium of vendors (including IBM) under the auspices of OASIS, through the OASIS Security Services Technical Council (SSTC). SAML has two major components: It describes SAML assertions used to transfer information within a single sign- on protocol and SAML bindings and profiles for a single sign-on protocol. Session 8: SOA Security
  21. 21. 21 20 March 2008 XACML • eXtensible Access Control Markup Language (XACML) is an initiative to develop a standard for access control and authorization systems. It describes both a common language for expressing access control policies to describe general access control requirements and a request/response language that describes how to form a query to determine if a given action is allowed or not and how to interpret the result. XACML addresses several use cases: – Define a policy – Gather required data for policy evaluation – Evaluate policy – Enforce policy Session 8: SOA Security
  22. 22. SAML with XACML 22 20 March 2008 1. An XACML Policy Enforcement Point (PEP) receives a request to access some resource. 2. The PEP obtains SAML Assertions containing information about the parties to the request, such as the requester, the receiver (if different) or intermediaries. These Assertions might accompany the request or be obtained directly from a SAML Authority, depending on the SAML profile used. 3. The PEP obtains other information relevant to the request, such as time, date, location, and properties of the resource. 4. The PEP presents all the information to a Policy Decision Point (PDP) to decide if the access should be allowed. 5. The PDP obtains all the policies relevant to the request and evaluates them, combining conflicting results if necessary. 6. The PDP informs the PEP of the decision result. 7. The PEP enforces the decision, by either allowing the requested access or indicating that access is not allowed. Session 8: SOA Security
  23. 23. 23 20 March 2008 RACF • Resource Access Control Facility (RACF) is an add-on software product that provides security for a mainframe system. RACF protects resources by granting access only to authorized users of the protected resources. RACF retains information about users, resources, and access authorities in special structures called profiles in its database, and it refers to these profiles when deciding which users should be permitted access to protected system resources. Session 8: SOA Security
  24. 24. 24 20 March 2008 IBM’s Security Products (partial list) • Tivoli Identity Manager (TIM) • Tivoli Access Manager (TAM) • Tivoli Federated Identity Manager (TFIM) • DataPower XS40 and XI50 Session 8: SOA Security
  25. 25. 25 20 March 2008 Tivoli Identity Manager (TIM) • IBM Tivoli Identity Manager provides a secure, automated and policy-based user management solution that helps effectively manage user identities throughout their lifecycle across both legacy and e-business environments Session 8: SOA Security
  26. 26. 26 20 March 2008 Tivoli Access Manager (TAM) • IBM Tivoli Access Manager is an award- winning, policy-based, access control security solution for e-business and enterprise applications, featuring Web-based single sign- on and distributed Web- based administration. Session 8: SOA Security
  27. 27. 27 20 March 2008 How TIM Relates to TAM Systems TIM Enterprise level: Accounts Accounts Accounts Applications User provisioning Databases TAM Private CH Authorization Internet Network DMZ EC K Session 8: SOA Security
  28. 28. 28 20 March 2008 Tivoli Federated Identity Manager (TFIM) • Tivoli Federated Identity Manager is a standards- based, access control solution for federated single sign-on (SSO) and trust management in a web services & SOA environments. Session 8: SOA Security
  29. 29. 29 20 March 2008 TFIM – Identity Propagation in SOA • Provides “in the plumbing” services for: – Passing identity between domains – what userid and how is it passed – Authorization (via calls to TAM) – Audit logging • Integration with IBM’s Enterprise Service Bus offerings – WebSphere Enterprise Service Bus – WebSphere Message Broker – Datapower XI50 • Integration with: – WebSphere Application Server – WebSphere Portal Server – RACF/CICS and other “legacy” applications • REFERENCE: – Session 8: SOA Security
  30. 30. 30 20 March 2008 Implementation of WS-Trust in TFIM WebSphere Application Server (inbound/outbound SOAP, JCA, JDBC) WebSphere Enterprise Service Bus WebSphere Message Broker DataPower SOA Appliances (XS40,XI50) Trust TFIM Client Security Token Service (STS) Issuer, AppliesTo, <Token> (Trust Chain) WS-Trust StatusCode, <NewToken> Session 8: SOA Security
  31. 31. 31 20 March 2008 Example Credential Flow W e HTTP WAS1 ESB WAS2 Web b Hdr SAML 2.0 SAML 1.1 Login S T Claims WS-Sec Claims WS-Sec Claims A swarne E swarne I Portal swarne Mediation Service Shane.Warne passw0rd A L warnie JDBC WS-Trust password1 Claims DB TFIM STS WAS3 Session 8: SOA Security
  32. 32. 32 20 March 2008 DataPower for security and connectivity Session 8: SOA Security
  33. 33. 33 20 March 2008 DataPower as a Web 2.0 security appliance Session 8: SOA Security
  34. 34. 34 20 March 2008 IBM SOA Security Reference Model Session 8: SOA Security
  35. 35. 35 20 March 2008 IBM SOA Security Reference Model Session 8: SOA Security
  36. 36. 36 20 March 2008 For More Information Session 8: SOA Security
  37. 37. 37 20 March 2008 For More Information Session 8: SOA Security
  38. 38. 38 20 March 2008 Fin Session 8: SOA Security