Security Patterns with WSO2 ESB


Published on

Published in: Technology, Education
  • Be the first to comment

Security Patterns with WSO2 ESB

  1. 1. May. 2014 Senior  So(ware  Engineer   Isuru  Udana   Security  Pa1erns  with   WSO2  ESB   Jeewantha  Dharmaparakrama   So(ware  Engineer        
  2. 2. About the Presenters ๏  Jeewantha  Dharmaparakrama                      So?ware  Engineer  WSO2               ๏  Isuru  Udana                Senior  So?ware  Engineer  WSO2          
  3. 3. About  WSO2   ๏  Global  enterprise,  founded  in  2005  by   acknowledged  leaders  in  XML,  web   services    technologies,  standards    and   open  source   ๏  Provides  only  open  source  plaKorm-­‐as-­‐ a-­‐service  for  private,  public  and  hybrid   cloud  deployments   ๏  All  WSO2  products  are  100%  open   source  and  released  under  the  Apache   License  Version  2.0.   ๏  Is  an  AcSve  Member  of  OASIS,  Cloud   Security  Alliance,  OSGi  Alliance,  AMQP   Working  Group,  OpenID  FoundaSon   and  W3C.   ๏  Driven  by  InnovaSon   ๏  Launched  first  open  source  API   Management  soluSon  in  2012   ๏  Launched  App  Factory  in  2Q  2013   ๏  Launched  Enterprise  Store  and   first  open  source  Mobile  soluSon   in  4Q  2013  
  4. 4. What  WSO2  delivers  
  5. 5. Outline •  Security  with  WSO2  ESB   •  WS-­‐Security   •  Transport  Level  Security   •  OAuth  and  EnStlement   •  Some  of  the  commonly  used  Security  Pa1erns  in  SOA   •  AuthenScaSon  pa1erns   •  AuthorizaSon  pa1erns   •  Data  ConfidenSality   •  Data  integrity  and  non  repudiaSon   •  QnA  
  6. 6. Security Requirements •  AuthenScaSon     •  AuthorizaSon   •  ConfidenSality   •  Integrity     •  Non  repudiaSon   •  Availability    
  7. 7. WSO2 ESB •  A  lightweight,  high  performance  ESB   •  Feature  rich  and  standards  compliant   •  SOAP  and  WS-­‐*  standards   •  REST  support   •  Domain  specific  protocol  support  (eg:  FIX,  HL7)   •  User  friendly  and  highly  extensible   •  100%  free  and  open  source  with  commercial  support        
  8. 8. Security with WSO2 ESB •  WS-­‐Security   •  Transport  Level  Security   •  OAuth  and  EnStlement  
  9. 9. WS-Security with WSO2 ESB •  WS  Security  is  an  extension  to  SOAP  to  apply  security  to  Web   services   •  Provides  Message  level  security   •  Apache  Rampart  handles  WS-­‐Security  at  ESB   •  Policy  (WS-­‐SecurityPolicy)  driven  
  10. 10. WS-Security with WSO2 ESB... Unsecured Services
  11. 11. WS-Security with WSO2 ESB... Exposing Unsecured Services as Secured
  12. 12. WS-Security with WSO2 ESB...
  13. 13. WS-Security with WSO2 ESB... Exposing Secured Services as Unsecured
  14. 14. WS-Security with WSO2 ESB... Security Transition
  15. 15. Transport Level Security HTTPS Transport •  High  performance  PassThrough  Transport   Supports,   •  SSL   •  Mutual  SSL   •  SSL  Profiles    (Inbound  and  Outbound)   •  VerificaSon  of  cerSficate  revocaSon  (OCSP/CRL)   •  SSL  Tunneling    
  16. 16. HTTPS Transport
  17. 17. Mutual SSL •  Client  and  the  server  authenScaSng  each  other   •  Similar  to  SSL  but  with  the  addiSon  of  client  authenScaSon   •  Server  request  the  client  to  provide  a  cerSficate   •  Typically  used  when  extra  level  of  security  is  needed.   •  Extra  cost  involved    
  18. 18. Demo 1: Mutual SSL
  19. 19. SSL Outbound Profiles •  Allows  to  specify  different  SSL  profiles  for  different  backend  servers   •  Each  profile  has  a  separate  KeyStore  and  a  TrustStore   •  Allows  to  connect  to  different  target  servers  using  different  cerSficates  and   idenSSes    
  20. 20. SSL Inbound Profiles •  Allows  to  specify  different  SSL  profiles  for  different  IPs  of  Server   •  Each  profile  has  a  separate  KeyStore  and  a  TrustStore    
  21. 21. Verification of Certificate Revocation -­‐  A  cerSficate  has  an  expiry  Sme.   -­‐  What  if  a  cerSficate  get  revoked  before  the  expiraSon  Sme  ?     -­‐  There  should  be  a  way  to  make  those  cerSficates  untrustworthy.   •  CerSficate  RevocaSon  List  (CRL)   •  Online  CerSficate  Status  Protocol  (OCSP)    
  22. 22. CRL •  CerSficate  RevocaSon  List  (CRL)  is  a  list  of  cerSficates  that  have   been  revoked  by  it’s  issuer  (CA)   •  EnSSes  presenSng  those  (revoked)  cerSficates  should  no  longer  be   trusted   •  A  CRL  is  generated  and  published  periodically    
  23. 23. OCSP •  Online  CerSficate  Status  Protocol  offers  an  alternaSve  to  a  cerSficate  revocaSon  list   (CRL)   •  Real-­‐Sme  revocaSon  status  during  the  cerSficate  verificaSon  process    
  24. 24. SSL Tunneling •  If  a  proxy  service  connects  to  a  back-­‐end  server  through  a  proxy  server,  we  can   enable  SSL  Tunneling  through  the  proxy  server   •  SSL  Tunneling  prevents  any  intermediary  proxy  servers  from  interfering  with  the   communicaSon    
  25. 25. OAuth mediator •  Used  for  constrained  access  delegaSon.   •  The  client  has  to  get  an  OAuth  access  token  from  the  AuthorizaSon   server   •  When  a  client  sends  a  request  with  an  OAuth  token,  OAuth   mediator  will  get  the  access  token  validated  from  the  AuthorizaSon   server.     Example  configuraSon:     <oauthService  xmlns="h1p://"  remoteServiceUrl=" h1ps://localhost:9443/service"  username="foo"  password="bar"  />      
  26. 26. Entitlement mediator •  Intercepts  requests  and  evaluates  the  acSons  performed  by  the   user  against  an  eXtensible  Access  Control  Markup  Language  (XACML)  policy.   •  WSO2  IdenSty  Server  can  be  used  as  the  XACML  Policy  Decision   Point  (PDP)  where  the  policy  is  set.   •  WSO2  ESB  serves  as  the  XACML  Policy  Enforcement  Point  (PEP)   where  the  policy  is  enforced.  
  27. 27. Some common security patterns with WSO2 ESB AuthenScaSon   •   Direct  authenScaSon   •   Brokered  authenScaSon.     •  Protocol  transiSon   •   Trusted  subsystem  
  28. 28. Direct Authentication
  29. 29. Brokered Authentication •  Security  Token  Service  -­‐  SAML  AsserSons   •  Kerberos                 h1p://­‐authenScaSon-­‐using-­‐wso2-­‐products/  
  30. 30. Protocol Transition
  31. 31. Trusted Subsystem
  32. 32. Some common security patterns with WSO2 ESB Contd.. AuthorizaSon   •   Role  based  access  control   •   Claim  based  authorizaSon   •   Constrained  access  delegaSon  
  33. 33. Role based Access Control
  34. 34. Claim based Authorization AuthorizaSon  based  on  Claims  carried  in  SAML  token  using  EnStlement   Mediator                         h1ps://
  35. 35. Constrained Access Delegation Using OAuth Mediator
  36. 36. Constrained Access Delegation Contd. 1.  Client  gets  registered  with  the  AuthorizaSon  server  (WSO2  IS)   2.  AuthorizaSon  server  generates  client  ID  and  client  secrete  for  the   registered  client.  
  37. 37. Constrained Access Delegation 3.  Client  requests  AuthorizaSon  server  for  the  OAuth  access          token  for  the  resource  providing  the  clientID  and  secret   curl  -­‐u  <Client_id>:<Client_secret>     -­‐k  -­‐d  "grant_type=<strong>password</strong>&amp;username=admin&amp;password=admin"     -­‐H  "Content-­‐Type:applicaSon/x-­‐www-­‐form-­‐urlencoded"  h1ps://localhost:9444/oauth2endpoints/token     4.  AuthorizaSon  server  will  provide  the  access  token  to  the  client   {"token_type":"bearer","expires_in":810,   "refresh_token":"8dd86285b6ccde955ce4ab65f41871cb",   "access_token":"4eb7939a6db20a0eddcd44e59badcb6"}s     5.  Client  will  send  the  access  token  in  an  AuthorizaSon  HTTP  header  to   the  resource  server  via  WSO2  ESB.     curl  -­‐H  "AuthorizaSon:Bearer  4eb7939a6db20a0eddcd44e59badcb6"  -­‐v      h1p://localhost:8282/stockquote/view/IBM     6.  OAuth  mediator  in  WSO2  ESB  does  the  access  token              verificaSon  with  the  AuthorizaSon  server  (WSO2  IS)      
  38. 38. Some common security patterns with WSO2 ESB Contd.. ConfidenSality   Data  encrypSon  with  WS-­‐Security     Non  RepudiaSon  +  Integrity   Data  signing  with  WS-­‐Security  
  39. 39. Demo 2: WS-Sec Sign and Encryption
  40. 40. QnA
  41. 41. Business  Model  
  42. 42. Contact  us  !