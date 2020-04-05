Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
An Architects Hands-on Experience in Securing Microservices with JSON Web Token using IBM Datapower Sandip Gupta Senior Cl...
Laptop Deployment Topology 2 Datapower Container Multiprotocol Gateway Front Side Handler (Client) Policy (Client-to-Serve...
3 Setup Details
4 Topology Setup – Commands used Component Versions Commands – First time Commands - Repeated Operating System Macos Mojav...
5 Topology Setup – Contd… Component Versions Commands – First time Commands - Repeated Datapower Developer Edition 2018.1....
6 JWT Structure
7 IBM Datapower
8 Crypto in Datapower Two Keys – One named as Client Key & another one as Server Key. Each has their own public certificat...
9 Multi-Protocol Gateway Services in Datapower Created two multi-protocol gateway services rest_mpgw: Multi-protocol gatew...
10 Multi-protocol Security Policy in Datapower - 1
11 Multi-protocol Security Policy in Datapower - 2
12 Front Side Handler in Datapower Acts as a Client to Datapower which is always the server!!
13 JSON Web Token using IBM Datapower
14 JWT Create Policy in Datapower
15 Matching Rules in Datapower
16 Result Rule in Datapower
17 JWT Create AAA Policy in Datapower - 1
18 JWT Create AAA Policy in Datapower - 2 Select JSON Web Token policy
19 JWT with Signing Policy in Datapower Server Private Key used for Signing Encryption Algorithms Additional Claims Issuer...
20 JWT with Encryption Policy in Datapower Encryption Algorithms Issuer & Expiry Server Private Key used for Signing Clien...
21 JWT Validate Policy in Datapower
22 JWT Validate AAA Policy in Datapower - 1 Select the JWT validation policy
23 JWT Validate AAA Policy in Datapower - 2
24 JWT with Signing Validation Policy in Datapower Server Certificate used for Sign Validation Issuer
25 JWT with Encryption Validation Policy in Datapower Issuer Server Certificate used for Sign Verification Client Public K...
26 Testing of the Policy
27 Base64 Encoding of User:Password for Basic HTTP Authentication dG9ueWY6dG9ueWY= User present in AAAInfo.xml tonyf:tonyf
28 First Request sent to Datapower to generate the token after user authentication JWT returned in Authorization header Ba...
29 JWT Validation in Datapower Testing of the sample token in jwt.io external website
30 Request sent to Datapower for Validation of the Generated Token JWT Sent in Authorization Header
31 First Request sent to Datapower to generate encrypted JWT Token JWT with Encryption returned in Authorization header Ba...
32 References • Datapower Hello-World: https://developer.ibm.com/datapower/config/ • MQ: https://hub.docker.com/r/ibmcom/m...
Upcoming SlideShare
Loading in …5
×

IBM Datapower Security Scenarios - Using JWT to secure microservices

40 views

Published on

IBM Datapower Security Scenarios - Using JWT to secure microservices

Published in: Software
no profile picture user

  • Be the first to comment

  • Be the first to like this

IBM Datapower Security Scenarios - Using JWT to secure microservices

  1. 1. An Architects Hands-on Experience in Securing Microservices with JSON Web Token using IBM Datapower Sandip Gupta Senior Client Architect Cloud & Cognitive BU, IBM India 5th April 2020
  2. 2. Laptop Deployment Topology 2 Datapower Container Multiprotocol Gateway Front Side Handler (Client) Policy (Client-to-Server Backend (Server) https://mqserver:8000/crt/test https://mqserver:9090/dp/login Host: mqserver Client Key Client Certificate Server Key Server Certificate Physical Layout of the components used and their interactions https://mqserver:8000/vrf/test Create JWT Token Verify JWT Token SoapUI
  3. 3. 3 Setup Details
  4. 4. 4 Topology Setup – Commands used Component Versions Commands – First time Commands - Repeated Operating System Macos Mojave 10.14.5 Add an entry in /etc/hosts <laptop_ip> mqserver #mkdir $HOME/mq #mkdir $HOME/dp IP Address of the laptop #ifconfig | grep inet4 #ping mqserver Laptop’s IP address needs to be used instead of localhost or 127.0.0.1 between DP & MQ containers Docker Community Edition Docker CE 2.1.0.2 Kitematic 0.17.9 #docker ps #docker images # Start Docker Engine Openssl 2.6.5 #mkdir $HOME/mq/certs #cd $HOME/mq/certs #openssl genrsa -out server.key 2048 #openssl req -new -x509 -key server.key -out server.cert –days 365 #openssl genrsa -out client.key 2048 #openssl req -new -x509 -key client.key -out client.cert –days 365 <Server Key> Private key and Public Cert of Datapower Server <Client Key> Private key and Public Cert of MQ Server SOAP UI 5.5.0
  5. 5. 5 Topology Setup – Contd… Component Versions Commands – First time Commands - Repeated Datapower Developer Edition 2018.1.10 #docker pull ibmcom/datapower:latest #cd $HOME/dp #git clone https://github.com/ibm- datapower/datapower-tutorials.git #cd $HOME/dp/datapower-tutorials/getting- started # docker run -it -v $PWD/config:/drouter/config -v $PWD/local:/drouter/local -e DATAPOWER_ACCEPT_LICENSE=true -e DATAPOWER_INTERACTIVE=true -p 9090:9090 -p 9022:22 -p 5554:5554 -p 8000-8010:8000-8010 --name idg ibmcom/datapower configure; web-mgmt 0 9090 9090; Exit the container Start IDG container using Kitematic #docker run –it idg #docker ps #docker inspect <dp_container> | grep IPAddress <WebConsole> URL: https://mqserver:9090/dp/login User: admin:admin
  6. 6. 6 JWT Structure
  7. 7. 7 IBM Datapower
  8. 8. 8 Crypto in Datapower Two Keys – One named as Client Key & another one as Server Key. Each has their own public certificates. Client Key & Certificate Server Key & Certificate
  9. 9. 9 Multi-Protocol Gateway Services in Datapower Created two multi-protocol gateway services rest_mpgw: Multi-protocol gateway service to secure microservice using JWT token with digital signing and/or encryption
  10. 10. 10 Multi-protocol Security Policy in Datapower - 1
  11. 11. 11 Multi-protocol Security Policy in Datapower - 2
  12. 12. 12 Front Side Handler in Datapower Acts as a Client to Datapower which is always the server!!
  13. 13. 13 JSON Web Token using IBM Datapower
  14. 14. 14 JWT Create Policy in Datapower
  15. 15. 15 Matching Rules in Datapower
  16. 16. 16 Result Rule in Datapower
  17. 17. 17 JWT Create AAA Policy in Datapower - 1
  18. 18. 18 JWT Create AAA Policy in Datapower - 2 Select JSON Web Token policy
  19. 19. 19 JWT with Signing Policy in Datapower Server Private Key used for Signing Encryption Algorithms Additional Claims Issuer & Expiry
  20. 20. 20 JWT with Encryption Policy in Datapower Encryption Algorithms Issuer & Expiry Server Private Key used for Signing Client Public Certificate used for Encryption
  21. 21. 21 JWT Validate Policy in Datapower
  22. 22. 22 JWT Validate AAA Policy in Datapower - 1 Select the JWT validation policy
  23. 23. 23 JWT Validate AAA Policy in Datapower - 2
  24. 24. 24 JWT with Signing Validation Policy in Datapower Server Certificate used for Sign Validation Issuer
  25. 25. 25 JWT with Encryption Validation Policy in Datapower Issuer Server Certificate used for Sign Verification Client Public Key used for Decryption
  26. 26. 26 Testing of the Policy
  27. 27. 27 Base64 Encoding of User:Password for Basic HTTP Authentication dG9ueWY6dG9ueWY= User present in AAAInfo.xml tonyf:tonyf
  28. 28. 28 First Request sent to Datapower to generate the token after user authentication JWT returned in Authorization header Base64 of Password (User is in AAA file) eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJpZGciLCJzdWIiOiJ0b255ZiIsImV4cCI6MTU 4NDg5MzI5OX0.ih6we3urbUDNo6Mkq1UBujUWXYK_ZInaEfH6ht_P3pT0LHjNa ah6cUWBheWeARJ9ltHYW5HcYh8GzkQA5hL6cl_goXjnNlIWokfJAAYszJVGnmX MrO0BHIFp2CaDdIFOf24ssdvigY51R9rhBOBTJNcsKlOhlZ_RUcohPCTYtCvFCza gnMCc0rSTWUspEWtEt6UUzslnbO_dzdfut5NGh9nxYCd6E6CssdEb3sCJMXh38 D4xHEZD5bzA3guEjl9xXYSntF9jdtf4t81HoCWF9hQrESPzmpAWuCh4OpKD_Fqq LmLbrfppex7fEPpUOja-ss3EdeLjA747MTTELKEwaw
  29. 29. 29 JWT Validation in Datapower Testing of the sample token in jwt.io external website
  30. 30. 30 Request sent to Datapower for Validation of the Generated Token JWT Sent in Authorization Header
  31. 31. 31 First Request sent to Datapower to generate encrypted JWT Token JWT with Encryption returned in Authorization header Base64 of Password (User is in AAA file) eyJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiYWxnIjoiUlNBMV81IiwiY3R5IjoiSldUIn0.BaoEctr BCPrwA5eHppZMN8-X0eP2m2KTsTin-SVPEaJko8upuBRBReFyjOJ9vdb- uLmDdQWzdqEoa-6rV1N-AIbFn- fubQnmJQAqSWrF9QvaARN1OatJhYOpo_NHBKzUa0VYeJ1IsBBP3wo5r7x2SaYb3kBDYi RqzUzmVAThmuTcyRoASzmyjXw35IqHxqBMcUWrPALIgCySQdkTASK0iCMAXNdiBwm0j 2b1WlU7_UxjTqaYW85XpK0RY0aQ8IxZKe_0R5qt8kij3ghXVtEOQOxNRVOz4gXYdcTb60 9265tgFEssLc8TIwc70JIu9THLR38hz10CR7XGXVQrfLmZzw.nRAF3ZAHdUqM1Mq3CXx 3yA.1nl86tTcvk8sHWIyXzHhnVLC_4Uj4cUJTQHqun9mx- rXP1h7v5Q8CkthT8Hly1eVEROtTJ4MnQWjYM8uQsZ6R5PJT4TBIWnh9DXWwWGizqJ9U n6rK2ynOMzigMVIjpRkAvnfZ42EiOZaKoZ5OlsyHKoFuJqJqydcCDMsvmsK3Rf7T- cChfSxnmuuBLff5X_3_0nVAAIUIhh2idfScM410JDJIel6ELChBzmpeYxQfRrczlbKk2- RVS4ubQ8t- HG8WnF4xadgmGmAssDb4TOdXm4G2l3r91aybhg7OlMeiWpuc2Ygkz0Nx4K6WDMnArQ GoVQnXqbLtwBX0Xs6cNoAlVUagKTWHaN8Api1AFjN7MfJ- _4kzgq28jT4upUTg00U9i5hqtf1sfLnI52R2P-v7POY2amNoDmzZYS- TA0gEelX1ywpFdeErKIMxtIf3sAocekMyblkY0z5l6WXhUFXR_zWfZPjKAvjwloaeCXrsBli9 WmP3onFhtvIacqy0qic50QkLJlEsYQbhqrOchnmFUht4_Gvi74yjD9Ov6YMBZT6Gt0AfHZ DkcKKdGzznbyD.NK-7Cz2YCIIcStUfc5SpVw
  32. 32. 32 References • Datapower Hello-World: https://developer.ibm.com/datapower/config/ • MQ: https://hub.docker.com/r/ibmcom/mq/ • MQ: https://github.com/ibm-messaging/mq-container • MQ Admin Tool: https://sourceforge.net/projects/mqadmintool/ • ACE: https://github.com/ot4i/ace-docker • JWT with X5C: https://github.com/pglezen/dpx5cjwt • OAuth on DP: https://www.ibm.com/developerworks/websphere/library/techarticles/1208_rasmussen/1208_rasmussen.html • OAuth on DP Git: https://github.com/pglezen/dp-article-oauth-clients • SSKEY: http://rcbj.net/blog01/2012/03/17/generating-and-uploading-a-shared-key-symmetric-key-to-datapower-appliances/ • JOSE: https://jose.readthedocs.io/en/latest/ • Base64: https://www.base64encode.org/

×