Securing Web Services with CAS Proxy Tickets

170
June 2010 Securing Web Services Solving the Web Services Security Problem with an XML Gateway

description

A solution implemented at Simon Fraser University to use CAS proxy tickets to provide authorization to web services from thick client web applications.

Transcript of Securing Web Services with CAS Proxy Tickets

Page 1: Securing Web Services with CAS Proxy Tickets

June 2010

Securing Web ServicesSolving the Web Services Security Problem with an XML Gateway

Page 2: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About Us

Page 3: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About Us

• Jeremy Rosenberg Developer in IT services since 2004 Identity management strategy Java Developer

Page 4: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About Us

• Jeremy Rosenberg Developer in IT services since 2004 Identity management strategy Java Developer

• Steve HillmanIT ArchitectWith IT Services since 1987Unix infrastructure

Page 5: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About SFU

Page 6: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About SFU

• Named after famous explorer

Simon Fraser 1776 -1862

Page 7: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About SFU

• Named after famous explorer • Opened on September 9, 1965

Simon Fraser 1776 -1862

Page 8: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About SFU

• Named after famous explorer • Opened on September 9, 1965• One University - Three campuses

• Burnaby• Surrey• Vancouver

Simon Fraser 1776 -1862

Page 9: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About SFU

• Named after famous explorer • Opened on September 9, 1965• One University - Three campuses

• Burnaby• Surrey• Vancouver

• 32,000 students • 900 faculty• 1600 staff• 100,000 alumni Simon Fraser

1776 -1862

Page 10: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About This Presentation

Page 11: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About This Presentation

• Definitions

Page 12: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About This Presentation

• Definitions• XML Security Challenges

Page 13: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About This Presentation

• Definitions• XML Security Challenges• About the Layer 7 SecureSpan XML Gateway

Page 14: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About This Presentation

• Definitions• XML Security Challenges• About the Layer 7 SecureSpan XML Gateway• Why we chose SecureSpan

Page 15: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About This Presentation

• Definitions• XML Security Challenges• About the Layer 7 SecureSpan XML Gateway• Why we chose SecureSpan• A little about Public Keys

Page 16: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About This Presentation

• Definitions• XML Security Challenges• About the Layer 7 SecureSpan XML Gateway• Why we chose SecureSpan• A little about Public Keys• Walkthroughs

• SOAP• REST

Page 17: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About This Presentation

• Definitions• XML Security Challenges• About the Layer 7 SecureSpan XML Gateway• Why we chose SecureSpan• A little about Public Keys• Walkthroughs

• SOAP• REST

• Questions

Page 18: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions

•First, A Few Definitions

Page 19: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions

Page 20: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions

Web Service:

Page 21: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions

Web Service:• An API to a remote procedure

Page 22: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions

Web Service:• An API to a remote procedure• Typically accessed over HTTP

Page 23: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions

Web Service:• An API to a remote procedure• Typically accessed over HTTP• Machine-to-machine communications

Page 24: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions

Web Service:• An API to a remote procedure• Typically accessed over HTTP• Machine-to-machine communications • Allows data source to be loosely coupled to

applications

Page 25: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions

Web Service:• An API to a remote procedure• Typically accessed over HTTP• Machine-to-machine communications • Allows data source to be loosely coupled to

applications• Makes systems reusable

Page 26: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions

Web Service:• An API to a remote procedure• Typically accessed over HTTP• Machine-to-machine communications • Allows data source to be loosely coupled to

applications• Makes systems reusable• Very popular with Twitter, Facebook, Amazon, etc

Page 27: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions - SOAP vs REST

Page 28: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions - SOAP vs REST

•SOAP:

Page 29: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions - SOAP vs REST

•SOAP:• XML Message passing protocol

Page 30: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions - SOAP vs REST

•SOAP:• XML Message passing protocol • Numerous ‘WS-’ standards

Page 31: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions - SOAP vs REST

•SOAP:• XML Message passing protocol • Numerous ‘WS-’ standards• Associated with “Big” Web Services

• Most vendor SOA solutions use SOAP

Page 32: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions - SOAP vs REST

Page 33: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions - SOAP vs REST

•REST:

• URL-addressable objects

Page 34: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions - SOAP vs REST

•REST:

• URL-addressable objects• “http://maps.google.com/maps/api/geocode/xml?address=Memorial+University,+NL,+CA”

Page 35: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions - SOAP vs REST

•REST:

• URL-addressable objects• “http://maps.google.com/maps/api/geocode/xml?address=Memorial+University,+NL,+CA”

• Accessed and manipulated with standard HTTP GET/POST/PUT/DELETE

Page 36: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions - SOAP vs REST

•REST:

• URL-addressable objects• “http://maps.google.com/maps/api/geocode/xml?address=Memorial+University,+NL,+CA”

• Accessed and manipulated with standard HTTP GET/POST/PUT/DELETE

• Lightweight client requirements

Page 37: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions - SOAP vs REST

•REST:

• URL-addressable objects• “http://maps.google.com/maps/api/geocode/xml?address=Memorial+University,+NL,+CA”

• Accessed and manipulated with standard HTTP GET/POST/PUT/DELETE

• Lightweight client requirements• Stateless (every request is self-contained)

Page 38: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Definitions - SOAP vs REST

•REST:

• URL-addressable objects• “http://maps.google.com/maps/api/geocode/xml?address=Memorial+University,+NL,+CA”

• Accessed and manipulated with standard HTTP GET/POST/PUT/DELETE

• Lightweight client requirements• Stateless (every request is self-contained)• WS- standards are less mature

Page 39: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

“Put out an A.P.B. on a donut, believed sprinkled.”

!•Web Services Security Challenges

Page 40: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

Page 41: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Web Services can communicate over many transport protocols

Page 42: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Web Services can communicate over many transport protocols• Commonly accessed over web protocols like HTTP

Page 43: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Web Services can communicate over many transport protocols• Commonly accessed over web protocols like HTTP• Easy for Web services to bypass traditional firewalls

Page 44: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Web Services can communicate over many transport protocols• Commonly accessed over web protocols like HTTP• Easy for Web services to bypass traditional firewalls

XMLHTTP

XML

Page 45: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

Page 46: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• XML-based messages can be deliberately or inadvertently malformed

Page 47: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• XML-based messages can be deliberately or inadvertently malformed

• Causes parser or applications to break

Page 48: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• XML-based messages can be deliberately or inadvertently malformed

• Causes parser or applications to break• Creates new XML threats and

vulnerabilities. E.g:

Page 49: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• XML-based messages can be deliberately or inadvertently malformed

• Causes parser or applications to break• Creates new XML threats and

vulnerabilities. E.g:• XML parameter tampering

Page 50: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• XML-based messages can be deliberately or inadvertently malformed

• Causes parser or applications to break• Creates new XML threats and

vulnerabilities. E.g:• XML parameter tampering• XDoS Attacks

Page 51: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• XML-based messages can be deliberately or inadvertently malformed

• Causes parser or applications to break• Creates new XML threats and

vulnerabilities. E.g:• XML parameter tampering• XDoS Attacks• Message Replay

Page 52: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• XML-based messages can be deliberately or inadvertently malformed

• Causes parser or applications to break• Creates new XML threats and

vulnerabilities. E.g:• XML parameter tampering• XDoS Attacks• Message Replay• Oversized/overdeep XML nodes

Page 53: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• XML-based messages can be deliberately or inadvertently malformed

• Causes parser or applications to break• Creates new XML threats and

vulnerabilities. E.g:• XML parameter tampering• XDoS Attacks• Message Replay• Oversized/overdeep XML nodes• Code injection

Page 54: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

Page 55: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Transactions are principally machine-to-machine

Page 56: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Transactions are principally machine-to-machine • New thinking around machine-to-machine credentialing

Page 57: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Transactions are principally machine-to-machine • New thinking around machine-to-machine credentialing • Login pages won’t work

Page 58: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

Page 59: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Services and clients must agree on security parameters• crypto preferences• standards support

Page 60: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Services and clients must agree on security parameters• crypto preferences• standards support

• Need for new kinds of policy coordination

Page 61: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Services and clients must agree on security parameters• crypto preferences• standards support

• Need for new kinds of policy coordination• Incompatibilities have unforeseen consequences

Page 62: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

Page 63: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Web services enable multi-hop composite applications

Page 64: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Web services enable multi-hop composite applications• Example: Student on boarding process

Page 65: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

• Web services enable multi-hop composite applications• Example: Student on boarding process• Message level security and audit that can span multi-

hop SOA transactions end-to-end

Page 66: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

Page 67: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Web Services Security Challenges

Web services expose business functionality through open APIs, requiring new application-aware security measures.

Page 68: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SecureSpan XML Gateway

Page 69: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SecureSpan XML Gateway

• Enter the XML Gateway

Page 70: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SecureSpan XML Gateway

Page 71: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

XML Gateway - What it does

Page 72: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

XML Gateway - What it does

• Parses all Inbound and outbound XML messages

Page 73: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

XML Gateway - What it does

• Parses all Inbound and outbound XML messages• Inspection and modification of XML messages

Page 74: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

XML Gateway - What it does

• Parses all Inbound and outbound XML messages• Inspection and modification of XML messages

• Replace “Username” value in inbound XML message with value extracted from client certificate• Prevent spoofing

Page 75: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

XML Gateway - What it does

• Parses all Inbound and outbound XML messages• Inspection and modification of XML messages

• Replace “Username” value in inbound XML message with value extracted from client certificate• Prevent spoofing

• Blank-out Student Number value in outbound XML messages • Prevent accidental leakage of confidential info

Page 76: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

XML Gateway

Page 77: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

XML Gateway

• Thwart attacks

Page 78: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

XML Gateway

• Thwart attacks• Prevent malicious and inadvertent XML attacks

Page 79: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

XML Gateway

• Thwart attacks• Prevent malicious and inadvertent XML attacks• Prevent other not-so-obvious application-level

attacks - e.g. SQL injection. • Are you sure every one of your developers

sanitizes their inputs?

Page 80: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Benefits

Page 81: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Benefits

• Single point-of-entry for Web Services means:

Page 82: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Benefits

• Single point-of-entry for Web Services means:• Do rate-control/throttling/queueing to enforce SLAs

Page 83: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Benefits

• Single point-of-entry for Web Services means:• Do rate-control/throttling/queueing to enforce SLAs• Standardized logging of all access

Page 84: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Benefits

• Single point-of-entry for Web Services means:• Do rate-control/throttling/queueing to enforce SLAs• Standardized logging of all access• Auditing

Page 85: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Benefits

• Single point-of-entry for Web Services means:• Do rate-control/throttling/queueing to enforce SLAs• Standardized logging of all access• Auditing • Centrally enforced policies

Page 86: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Benefits

• Single point-of-entry for Web Services means:• Do rate-control/throttling/queueing to enforce SLAs• Standardized logging of all access• Auditing • Centrally enforced policies • Reusable rich set of authentication mechanisms

Page 87: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Benefits

• Single point-of-entry for Web Services means:• Do rate-control/throttling/queueing to enforce SLAs• Standardized logging of all access• Auditing • Centrally enforced policies • Reusable rich set of authentication mechanisms • Managed by the Infrastructure team on behalf of all

Web Services development groups

Page 88: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Why We Chose Layer7

Page 89: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Why We Chose Layer7

• Industry leader in this space

Page 90: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Why We Chose Layer7

• Industry leader in this space• Very responsive

Page 91: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Why We Chose Layer7

• Industry leader in this space• Very responsive• Available as either hard or soft appliance

Page 92: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Why We Chose Layer7

• Industry leader in this space• Very responsive• Available as either hard or soft appliance • Extensible using Java. We have Java experts.

Page 93: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Why We Chose Layer7

• Industry leader in this space• Very responsive• Available as either hard or soft appliance • Extensible using Java. We have Java experts.• Supports every standard known to Man

Page 94: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Standards

Page 95: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Standards

XML 1.0SOAP 1.2RESTAJAXXPath 1.0XSLT 1.0WSDL 1.1XML SchemaLDAP 3.0SAML 1.1/2.0PKCS #10X.509 v3 CertificatesFIPS 140-2Kerberos

W3C XML Signature 1.0W3C XML Encryption 1.0SSL/TLS 3.0/1.1SNMPSMTPPOP3IMAP4HTTP/HTTPSJMS 1.0MQ SeriesTibco EMSFTPWS-Security 1.1WS-Trust 1.0

WS-FederationWS-AddressingWSSecureConversationWS-MetadataExchangeWS-PolicyWS-SecurityPolicyWS-PolicyAttachmentWS-SecureExchangeWSILWS-IWS-I BSPUDDI 3.0XACML 2.0MTOM

Page 96: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

The Gateway Changes Everything

Page 97: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Cowboy Style

Page 98: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Cowboy Style

Page 99: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Cowboy Style

Page 100: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Cowboy Style

Page 101: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Cowboy Style

Page 102: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Cowboy Style

Page 103: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Cowboy Style

Page 104: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Cowboy Style

Page 105: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Page 106: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Definitely Not a Public Key Infrastructure (DNPKI)

Page 107: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Definitely Not a Public Key Infrastructure (DNPKI)• Named out of frustration with the phrase:

• “Cool we have PKI now”

Page 108: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Definitely Not a Public Key Infrastructure (DNPKI)• Named out of frustration with the phrase:

• “Cool we have PKI now”• Needed a way to manage X.509 certificates for:

• https client certificate authentication• WS-Security Signature Authentication

Page 109: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Definitely Not a Public Key Infrastructure (DNPKI)• Named out of frustration with the phrase:

• “Cool we have PKI now”• Needed a way to manage X.509 certificates for:

• https client certificate authentication• WS-Security Signature Authentication

• Store and push RSA public keys into LDAP

Page 110: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Definitely Not a Public Key Infrastructure (DNPKI)• Named out of frustration with the phrase:

• “Cool we have PKI now”• Needed a way to manage X.509 certificates for:

• https client certificate authentication• WS-Security Signature Authentication

• Store and push RSA public keys into LDAP• Ability to de-provision certificate access

Page 111: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Definitely Not a Public Key Infrastructure (DNPKI)• Named out of frustration with the phrase:

• “Cool we have PKI now”• Needed a way to manage X.509 certificates for:

• https client certificate authentication• WS-Security Signature Authentication

• Store and push RSA public keys into LDAP• Ability to de-provision certificate access • Leveraged existing IdM architecture

Page 112: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Page 113: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Page 114: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Page 115: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Page 116: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Page 117: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Page 118: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Page 119: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Page 120: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

About DNPKI

Page 121: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 122: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 123: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 124: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 125: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 126: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 127: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 128: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 129: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 130: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 131: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 132: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 133: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

SOAP Security - Best Practices

Page 134: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway SOAP Assertions

Page 135: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway SOAP Assertions

Page 136: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway SOAP Assertions

Page 137: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway SOAP Assertions

Page 138: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway SOAP Assertions

Page 139: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway SOAP Assertions

Page 140: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway SOAP Assertions

Page 141: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

The Zimbra Conundrum

Page 142: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

The Zimbra Conundrum

Page 143: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

The Zimbra Conundrum

Page 144: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

The Zimbra Conundrum

.../courses?user=me

Page 145: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

The Zimbra Conundrum

.../courses?user=me

Page 146: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

The Zimbra Conundrum

.../courses?user=notme

Page 147: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

The Zimbra Conundrum

.../courses?user=notme

Page 148: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

REST Security that Never Rests

Page 149: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

REST Security that Never Rests

Page 150: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

REST Security that Never Rests

Page 151: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

REST Security that Never Rests

Page 152: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

REST Security that Never Rests

Page 153: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

REST Security that Never Rests

Page 154: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

REST Security that Never Rests

Page 155: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

REST Security that Never Rests

Page 156: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

REST Security that Never Rests

Page 157: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway REST Assertions

Page 158: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway REST Assertions

Page 159: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway REST Assertions

Page 160: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway REST Assertions

Page 161: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway REST Assertions

Page 162: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway REST Assertions

Page 163: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Gateway REST Assertions

Page 164: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Lessons Learned

Page 165: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Lessons Learned

• Security is an enabler

Page 166: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Lessons Learned

• Security is an enabler• Stick to standards where possible

Page 167: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Lessons Learned

• Security is an enabler• Stick to standards where possible• A good vendor is huge

Page 168: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Lessons Learned

• Security is an enabler• Stick to standards where possible• A good vendor is huge• Start small

• Control the service and consumer

Page 169: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

Lessons Learned

• Security is an enabler• Stick to standards where possible• A good vendor is huge• Start small

• Control the service and consumer• Security can be fun!

Page 170: Securing Web Services with CAS Proxy Tickets

IT Services - Jeremy Rosenberg / Steve Hillman

THANK YOU

Thank You !

[email protected][email protected]

!