Download - Security Patterns with WSO2 ESB
![Page 1: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/1.jpg)
May. 2014
Senior So(ware Engineer Isuru Udana
Security Pa1erns with WSO2 ESB
Jeewantha Dharmaparakrama So(ware Engineer
![Page 2: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/2.jpg)
About the Presenters ๏ Jeewantha Dharmaparakrama
So?ware Engineer WSO2 [email protected]
๏ Isuru Udana Senior So?ware Engineer WSO2 [email protected]
![Page 3: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/3.jpg)
About WSO2 ๏ Global enterprise, founded in 2005 by
acknowledged leaders in XML, web services technologies, standards and open source
๏ Provides only open source plaKorm-‐as-‐a-‐service for private, public and hybrid cloud deployments
๏ All WSO2 products are 100% open source and released under the Apache License Version 2.0.
๏ Is an AcSve Member of OASIS, Cloud Security Alliance, OSGi Alliance, AMQP Working Group, OpenID FoundaSon and W3C.
๏ Driven by InnovaSon
๏ Launched first open source API Management soluSon in 2012
๏ Launched App Factory in 2Q 2013
๏ Launched Enterprise Store and first open source Mobile soluSon in 4Q 2013
![Page 4: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/4.jpg)
What WSO2 delivers
![Page 5: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/5.jpg)
Outline • Security with WSO2 ESB
• WS-‐Security
• Transport Level Security
• OAuth and EnStlement
• Some of the commonly used Security Pa1erns in SOA
• AuthenScaSon pa1erns
• AuthorizaSon pa1erns
• Data ConfidenSality
• Data integrity and non repudiaSon
• QnA
![Page 6: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/6.jpg)
Security Requirements
• AuthenScaSon
• AuthorizaSon
• ConfidenSality
• Integrity
• Non repudiaSon
• Availability
![Page 7: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/7.jpg)
WSO2 ESB
• A lightweight, high performance ESB
• Feature rich and standards compliant
• SOAP and WS-‐* standards
• REST support
• Domain specific protocol support (eg: FIX, HL7)
• User friendly and highly extensible
• 100% free and open source with commercial support
![Page 8: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/8.jpg)
Security with WSO2 ESB
• WS-‐Security
• Transport Level Security
• OAuth and EnStlement
![Page 9: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/9.jpg)
WS-Security with WSO2 ESB
• WS Security is an extension to SOAP to apply security to Web
services
• Provides Message level security
• Apache Rampart handles WS-‐Security at ESB
• Policy (WS-‐SecurityPolicy) driven
![Page 10: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/10.jpg)
WS-Security with WSO2 ESB...
Unsecured Services
![Page 11: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/11.jpg)
WS-Security with WSO2 ESB...
Exposing Unsecured Services as Secured
![Page 12: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/12.jpg)
WS-Security with WSO2 ESB...
![Page 13: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/13.jpg)
WS-Security with WSO2 ESB...
Exposing Secured Services as Unsecured
![Page 14: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/14.jpg)
WS-Security with WSO2 ESB...
Security Transition
![Page 15: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/15.jpg)
Transport Level Security
HTTPS Transport
• High performance PassThrough Transport
Supports,
• SSL
• Mutual SSL
• SSL Profiles (Inbound and Outbound)
• VerificaSon of cerSficate revocaSon (OCSP/CRL)
• SSL Tunneling
![Page 16: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/16.jpg)
HTTPS Transport
![Page 17: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/17.jpg)
Mutual SSL
• Client and the server authenScaSng each other
• Similar to SSL but with the addiSon of client authenScaSon
• Server request the client to provide a cerSficate
• Typically used when extra level of security is needed.
• Extra cost involved
![Page 18: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/18.jpg)
Demo 1: Mutual SSL
![Page 19: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/19.jpg)
SSL Outbound Profiles
• Allows to specify different SSL profiles for different backend servers • Each profile has a separate KeyStore and a TrustStore • Allows to connect to different target servers using different cerSficates and
idenSSes
![Page 20: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/20.jpg)
SSL Inbound Profiles
• Allows to specify different SSL profiles for different IPs of Server
• Each profile has a separate KeyStore and a TrustStore
![Page 21: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/21.jpg)
Verification of Certificate Revocation
-‐ A cerSficate has an expiry Sme.
-‐ What if a cerSficate get revoked before the expiraSon Sme ?
-‐ There should be a way to make those cerSficates untrustworthy.
• CerSficate RevocaSon List (CRL)
• Online CerSficate Status Protocol (OCSP)
![Page 22: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/22.jpg)
CRL
• CerSficate RevocaSon List (CRL) is a list of cerSficates that have
been revoked by it’s issuer (CA)
• EnSSes presenSng those (revoked) cerSficates should no longer be
trusted
• A CRL is generated and published periodically
![Page 23: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/23.jpg)
OCSP
• Online CerSficate Status Protocol offers an alternaSve to a cerSficate revocaSon list (CRL)
• Real-‐Sme revocaSon status during the cerSficate verificaSon process
![Page 24: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/24.jpg)
SSL Tunneling
• If a proxy service connects to a back-‐end server through a proxy server, we can enable SSL Tunneling through the proxy server
• SSL Tunneling prevents any intermediary proxy servers from interfering with the
communicaSon
![Page 25: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/25.jpg)
OAuth mediator
• Used for constrained access delegaSon.
• The client has to get an OAuth access token from the AuthorizaSon
server
• When a client sends a request with an OAuth token, OAuth
mediator will get the access token validated from the AuthorizaSon
server. Example configuraSon: <oauthService xmlns="h1p://ws.apache.org/ns/synapse" remoteServiceUrl="h1ps://localhost:9443/service" username="foo" password="bar" />
![Page 26: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/26.jpg)
Entitlement mediator
• Intercepts requests and evaluates the acSons performed by the
user against an
eXtensible Access Control Markup Language (XACML) policy.
• WSO2 IdenSty Server can be used as the XACML Policy Decision
Point (PDP) where the policy is set.
• WSO2 ESB serves as the XACML Policy Enforcement Point (PEP)
where the policy is enforced.
![Page 27: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/27.jpg)
Some common security patterns with WSO2 ESB
AuthenScaSon
• Direct authenScaSon
• Brokered authenScaSon.
• Protocol transiSon
• Trusted subsystem
![Page 28: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/28.jpg)
Direct Authentication
![Page 29: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/29.jpg)
Brokered Authentication
• Security Token Service -‐ SAML AsserSons
• Kerberos
h1p://wso2.com/library/arScles/2012/07/kerberos-‐authenScaSon-‐using-‐wso2-‐products/
![Page 30: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/30.jpg)
Protocol Transition
![Page 31: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/31.jpg)
Trusted Subsystem
![Page 32: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/32.jpg)
Some common security patterns with WSO2 ESB Contd..
AuthorizaSon
• Role based access control
• Claim based authorizaSon
• Constrained access delegaSon
![Page 33: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/33.jpg)
Role based Access Control
![Page 34: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/34.jpg)
Claim based Authorization
AuthorizaSon based on Claims carried in SAML token using EnStlement Mediator h1ps://docs.wso2.org/display/ESB481/EnStlement+Mediator
![Page 35: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/35.jpg)
Constrained Access Delegation
Using OAuth Mediator https://docs.wso2.org/display/ESB481/OAuth+Mediator
![Page 36: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/36.jpg)
Constrained Access Delegation Contd.
1. Client gets registered with the AuthorizaSon server (WSO2 IS)
2. AuthorizaSon server generates client ID and client secrete for the
registered client.
![Page 37: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/37.jpg)
Constrained Access Delegation
3. Client requests AuthorizaSon server for the OAuth access token for the resource providing the clientID and secret curl -‐u <Client_id>:<Client_secret> -‐k -‐d "grant_type=<strong>password</strong>&username=admin&password=admin" -‐H "Content-‐Type:applicaSon/x-‐www-‐form-‐urlencoded" h1ps://localhost:9444/oauth2endpoints/token
4. AuthorizaSon server will provide the access token to the client {"token_type":"bearer","expires_in":810, "refresh_token":"8dd86285b6ccde955ce4ab65f41871cb", "access_token":"4eb7939a6db20a0eddcd44e59badcb6"}s
5. Client will send the access token in an AuthorizaSon HTTP header to the resource server via WSO2 ESB.
curl -‐H "AuthorizaSon:Bearer 4eb7939a6db20a0eddcd44e59badcb6" -‐v h1p://localhost:8282/stockquote/view/IBM
6. OAuth mediator in WSO2 ESB does the access token verificaSon with the AuthorizaSon server (WSO2 IS)
![Page 38: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/38.jpg)
Some common security patterns with WSO2 ESB Contd..
ConfidenSality
Data encrypSon with WS-‐Security
Non RepudiaSon + Integrity
Data signing with WS-‐Security
![Page 39: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/39.jpg)
Demo 2: WS-Sec Sign and Encryption
![Page 40: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/40.jpg)
QnA
![Page 41: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/41.jpg)
Business Model
![Page 42: Security Patterns with WSO2 ESB](https://reader034.vdocument.in/reader034/viewer/2022052315/54b6e8ea4a7959aa218b4614/html5/thumbnails/42.jpg)
Contact us !