Transcript The Common Service Framework Project

The Common Services
Framework Project
Adding Security and Values to
Heterogeneous Web Services
Environment
Frederick Chong
Software Design Engineer
Microsoft
Kevin W. Wall
Staff Software Engineer
Qwest IT
CSF Project Background
Joint work between .NET Enterprise
Architecture Team, MCS and Qwest.
 Multiple phases of the project. This
presentation is about phase 1.

Business Drivers
Expose and resell existing internal
Telco applications
 Reuse same infrastructure for
managing external applications
hosted by third parties
 Leverage management of web
services through centralized interface
 Provide common security solution to
web services

Challenges

Exposing information and functionality
in a modular, scalable, secure, and
internet-friendly way have significant
challenges:
• Time-to-market
• Scaling to the web
• Lack of end-to-end development tools
• Inability to interact between applications
developed in heterogeneous platforms and
environments
XML Web Services to the Rescue

Web Services provide loosely coupled
applications and components designed
for today’s heterogeneous computing
landscape
•
•
•
•

Improves programmer productivity
Ease of deployment
Facilitates sharing and reuse of components
Communicating using Internet protocols and
standards, such as SOAP and XML.
Web Services == ISDN ?
I See Dollars Now
Selling Web Services
Web Applications
Users
Web Services
Consumers
Web Services
Owners/Providers
Employing Web Services

Applications that employ web
services in their architecture have to
consider 3 phases of the web service
life cycle:
• Web service development
• Web service deployment
• Web service consumption

All phases involves several
management challenges
Development Challenges
Web Service developers are concerned with:
 Securing web services
• How to secure service component so that only
authenticated & authorized users are able to
consume them.
 Managing versions
• Manage versions of services components so
that consumers are least impacted
 Logging usage and health of services
• Monitoring the health of a web service, and
reporting on usage (volume, components
accessed, …)
Deployment Challenges
Web Service administrators are concerned
with:
 Security
 Availability
 Reliability
 Recovery
 Access
 User Management
 Consumption Analysis
 Production Environment
Consumer Challenges
Developers writing client applications that
consume web services must address issues such
as those faced by their counterparts developing
the Web services.
Issues that must be analyzed may include:
• How many transactions/sec will the Web service be able
to support?
• Are the Web services secure?
• Is the information sent encrypted? If so, how do I encrypt
the information?
• How reliable is the Web service?
• Is there a way of knowing my consumption pattern?
Web Services in Qwest
Large number of custom WS have
been developed and deployed
 WS support increasingly sophisticated
business processes.
 Development and management of WS
is continuously evolving in their
complexities
 Multiple technologies used: .NET,
GLUE, WLS

Web Services Common
Requirements

All web services developed have a common
set of needs:
• Security:
 Authentication, Authorization,
Confidentiality, Data Integrity
• Global availability
• Reliability
• Version management
• Metering, Monitoring and Logging
• Interoperability of applications
Why CSF/WS Management?

In summary:
• Need a set of capabilities to support
increasingly sophisticated business processes
enabled through web services
• Address global availability, reliability, security,
version management, metering, monitoring,
deployment & consumption challenges
• Ensure interoperability of applications
• Lower development and deployment time and
cost
• Some of the needs can be met by current Web
technologies, but others clearly need new tools
Logical View of the Common Services
Web Services
Framework
Web
Web
Applications
Users
Owners/Providers
Services
Consumers
Common
Services
Framework
Basic Flows in the Common
Services Framework
Company B
(Web Service
Consumer)
4. Register Organization 3. Define access policies
5. Subscribe to Company
with CSF
2. 1.
Register
Web
Service
Register
Organization
A’s Web service
with CSF
Company A
(Web Service
CSF Administration
Provider)
Common Service Framework
7. Web service response
CSF Runtime
CSF Client Toolkit
6. Consume web
service
Secure
Log
Route
CSF Components

CSF Components include:
• CSF Administration




Registration of web services
Creation and administration of security policies &
privileges
Multiple Routing scenarios and versioning
Manage subscription to web service consumption
• CSF Run Time



Web services security
Unified logging and monitoring
Static Routing and Dynamic Routing
• CSF Client Tool kit



Standard libraries for WS client
Configuration driven
Enables client to act as a transparent forward
proxy
Challenges Addressed by CSF
Phase 1
Web services security
 Policy-driven routing of web service
requests and responses
 Web service traffic logging
 Builds foundation for adding more
value added services (Metering,
Billing etc.)

CSF Security Requirements
Unilateral or mutual authentication
 Access control at granularity of web
service method
 Session-level confidentiality
 Session-level integrity

• Including replay prevention
CSF Security Wishlist
End-to-end confidentiality and
integrity
 Non-repudiation of origin, of receipt,
and delivery
 Content inspection / scrubbing

• Input validation
• Canonicalization
• Parameter manipulation
Web Services Security

Authentication
• WS-Security
Password-based
 X.509 public key certificates
 End-to-end authentication

• Basic authentication over HTTPS

Authorization
• Role-based authorization and business
rules
Web Services Security

Authentication and Authorization
Implementations:
• Qwest re-used their existing corporate
LDAP Directory and RSA ClearTrust
products
• Could be easily replaced by Microsoft
Active Directory and Windows Rolebased Authorization Manager
Framework
Web Services Security

Confidentiality
• WS-Security
Symmetric and Asymmetric Key
Encryption
 End-to-end encryption

• HTTPS

For clients that don’t speak WSSecurity
Policy-based Routing




Goal is to enable service differentiation
Bundle different physical deployments of
Web service into a single service
Use policy-based routing to enforce
service differentiation
Routing policy could be based on any
defined attributes:
• Class of service. e.g. Silver, Gold, Platinum
subscription
• User privileges – VP vs. Manager vs.
Contractor roles
• Time of day etc.
Web Service Logging and
Monitoring





Log web service requests, responses,
security events, etc.
Logging level can be changed by
configuration
Uses Windows Management and
Instrumentation (WMI)
Use Microsoft Operations Manager (MOM)
for Collection and Analysis
Foundation for building other value added
services, e.g. Metering and Billing
CSF Runtime Architecture


Runtime features are pluggable and
configurable
Input and Output pipeline message
processing
RSA
RSA ClearTrust
ClearTrust
Authentication
Authentication
SOAP Request
Request
Message
Context
Logging
using WMI
Custom
RSA ClearTrust
Business
Rules Engine
for
for Authorization
Routing Policy
CSF Runtime Engine
Message
Router
Response
Message
Context
Logging
using WMI
Soap Response
CSF Runtime Deployment Scenarios

As a Web service intermediary
.NET
Web Service
Client
Web Service Intermediary
CSF Client
Toolkit
J2EE
Web Service
Client
b
CSF Runtime
Security
Log
Policy-based
Routing
.NET
Web Service
J2EE
Web Service
CSF Runtime Deployment
Scenarios



As a chain of web service intermediaries
Distribute processing across
intermediaries
AKA “The Message Bus” to some people
.NET
Web Service
Client
CSF Client
Toolkit
J2EE
Web Service
Client
Web Service
Intermediary
CSF Runtime
•Authenticate
•Route
Web Service
Intermediary
.NET
Web Service
CSF Runtime
•Authorize
•Log
•Route
J2EE
Web Service
CSF Runtime Deployment
Scenarios


“In-Proc” Model
End-to-end processing
.NET
Web Service
Client
CSF Runtime
•Authenticate
•Encrypt/Decrypt
.NET
Web Service
CSF Runtime
•Authenticate
•Encrypt/Decrypt
•Authorize
•Log
CSF Runtime Deployment
Scenarios Summary

Flexibly combine all models
.NET
Web Service
Client
NET
Web Service
.
CSF Runtime
CSF Runtime
Web
Service
Intermediary
J2EE
Web Service
Client
CSF Runtime
Web
Service
Intermediary
CSF Runtime
J2EE
Web Service
Conclusions


Multiple challenges in Web services
management
Common Service Framework:
• Administrative Framework


Registering web services and consumers
Managing policies for security, routing etc.
• Runtime Framework



Enforcing web service management policies
Easy to add more management enforcement
capabilities
Flexible to support many deployment models