Transcript RY-Presentation - Center for Adaptive Optics

Web Service Security
Through A Guard
Roxanne Yee
Home Institution: University of Hawaiʻi at Mānoa
Internship Site: Akimeka, LLC
Mentor: Marc Lefebvre
Advisor: Todd Lawson
1
Presentation Overview
 Project Hierarchy and Motivation
 Background and Terminology
 Guard
 Web Service Security
 My Specific Part
 Test Bench
 An Example
 Questions
2
 Information Assurance (IA) Group
 Cross Domain Solutions (CDS) Group
 GWSG (Global Web Services Gateway) Project
 Service Oriented Architecture (SOA) Test Lab
 Customers
 National Security Agency (NSA)
 Defense Information Systems Agency (DISA)
3
GWSG Project Motivation
Goal
 To enhance the capabilities of a user on a
classified network to gain immediate access to
data available on an unclassified network
Classified
Network User
Unclassified
Database
4
GWSG Project Motivation
One Method Currently Used To Access Data
Classified
Network
User
(Soldier)
Classified
Database
Unclassified
Database
Sneaker-net
5
GWSG Project Motivation
Disadvantages to Current Methods
 Redundancies of Data
 Time Costly
 Replication
 Transportation
 Need For Data Synchronization
 Frequent Updates
 No Guarantee of Data Availability
 Extra Manpower by Man-In-The-Loop
6
GWSG Project Motivation
New Cross Domain Solution (CDS)
 Web Services Technology
Classified
Network
User
(Soldier)
Guard
Unclassified
Database
7
SOA Test Lab Component
Goal
 Evaluate Guards Specified by NSA and DISA
 Compare capability and effectiveness to process
message formats used by web services today
 Provide the best guard solution given a specific
situation in which the guard would be applied
8
My Part In The SOA Test Lab
Research and Document How To Implement
Web Service Security
 Controlled and Predictable Environment
 Test Web Service
Findings To Be Used In SOA Test Lab
 Foundation
 Template
9
WSS, SOAP, and HTTP
 WSS or WS-Security (Web Service Security)
 OASIS (Organization for the Advancement of Structured
Information Standards)
 Applied to SOAP Messages
 SOAP (Simple Object Access Protocol)
 Message Format
 HTTP (Hypertext Transfer Protocol)
 Transport Protocol
10
The Project: Test Bench
Client and Server on same computer
Communicate through localhost interface
Client
(soapUI)
Server
(Axis2)
* SOAP Request and SOAP Response
11
The Project: Open-Source Software
Server Side
 Tomcat 6.0.16
 Axis2 1.4
 Rampart 1.4
Client Side
 soapUI 2.0.2
12
The Project: Test Bench
Client and Server on same computer
Communicate through localhost interface
Client
(soapUI)
* SOAP Request with WSS
Server
(Axis2)
13
soapUI Outgoing Configuration
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Interface Used to Apply WSS to Request To Server
14
Usual Request soapUI
Sends w/o WSS
A SOAP Message Request w/o WSS
<soap: Envelope
xmlns:soap=“http//sample01.policy.samples.rampart.apache
.org” xmlns:sam=“http://www.w3.org/2003/05/soapenvelope”>
<soap:Header/>
<soap:Body>
<sam:echo>
<!--Optional:-->
<sam:param0>Hello?</sam:param0>
</sam:echo>
</soap:Body>
</soap:Envelope>
15
Additional WSS Informational
Applied To Usual Request soapUI
A SOAP Message Request Header with WSS
<soap:Header>
<wsse:Security soap:mustUnderstand=“true”
xmlns:wsse=“http://…secext-1.0.xsd”>
<wsse:UsernameToken wsu:Id=“UsernameToken-22786527”
xmlns:wsu:=“http://…utility-1.0.xsd”>
<wsse:Username>alice</wsse:Username>
<wsse:PasswordType=“http://... wss-username-tokenprofile-1.0#PasswordText”>bobPW
</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
16
The Project: Test Bench
Client and Server on same computer
Communicate through localhost interface
Client
(soapUI)
* SOAP Response with WSS
Server
(Axis2)
17
Usual Configuration Scheme
For A Service on The Server
services.xml Without Rampart
<?xml version="1.0" encoding="UTF-8"?>
<service>
<operation name="echo">
<messageReceiver class=
"org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</operation>
<parameter name="ServiceClass" locked="false">
org.apache.rampart.samples.policy.sample01.SimpleService
</parameter>
<module ref="addressing" />
<!-- RAMPART CONFIGURATION MAY OCCUR HERE -->
</service>
18
Additional Code To Tell Rampart
What Type of WSS To Expect
services.xml with Rampart
<module ref="rampart" />
<wsp:Policy wsu:Id="UT" xmlns:wsu="http://…”
xmlns:wsp="http://…"><wsp:ExactlyOne><wsp:All>
<sp:SupportingTokens xmlns:sp="http://…/securitypolicy">
<wsp:Policy><sp:UsernameToken sp:IncludeToken=
"http://…/IncludeToken/AlwaysToRecipient"/>
</wsp:Policy>
</sp:SupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://…>
<ramp:user>username</ramp:user>
<ramp:passwordCallbackClass>
org.apache.rampart.samples.policy.sample01.PWCBHandler
</ramp:passwordCallbackClass>
</ramp:RampartConfig>
19
</wsp:All></wsp:ExactlyOne></wsp:Policy>
The Project: Test Bench
Client and Server on same computer
Communicate through localhost interface
Client
(soapUI)
* SOAP Messages with WSS
Server
(Axis2)
20
The Project: Ultimate Purpose
Classified
Unclassified
XML
Firewall
XML
Firewall
Client
(soapUI)
* SOAP over HTTP
with WSS
Guard
localhost
Server
(Axis2)
* Proprietary Format over
Proprietary Protocol 21
WSS Mechanisms Attempted
 User Name Token
 Username and Password
 Timestamp
 Time to Live
 Encryption
 Confidentiality
 Signature
 Integrity and Authentication
22
An Example: Test Web Service
“Hi!”
Client
Server
“Hi!”
23
An Example: Valid User Name Token
Correct
Username
And
Password
Client
Server
Echo
24
An Example: Invalid User Name Token
Incorrect
Username
And/Or
Password
Client
Server
Error
25
An Example: Test Results
Username
Password
Result
Correct
Correct
Echo
Incorrect
Incorrect
Error
Blank
Blank
Error
Correct
Incorrect
Error
Correct
Blank
Error
Incorrect
Correct
Error
Incorrect
Blank
Error
Blank
Correct
Error
Blank
Incorrect
Error
26
Actual SOA Test Lab Setup
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
27
Acknowledgements
VP Operations
Matt Granger
Program Manager
Todd Lawson
Mentor
Marc Lefebvre
GWSG
Bryan Berkowitz
Casey McGinty
Scott Oshita
Christopher Paris
Derek Terawaki
Helpful Coworkers
Conrado Cortez
Deanna Garcia
Mark Mizubayashi
Former Cubiclemates
Ellen Federoff
Kelly Ledford
And Everyone Else Who
Made Me Feel Welcome!
28
Acknowledgements
Funding
Center for Adaptive Optics (CfAO)
National Science Foundation and
Technology Center Grant
(#AST-987683)
Akamai Workforce Initiative
National Science Foundation
Grant and Air Force Office of
Scientific Research Grant
(#AST-0710699)
University of Hawaiʻi Grant
Maui Akamai
Internship
Program
Program Staff
Lisa Hunter
Lani LeBron
Scott Seagroves
Lynne Raschke
Short Course Instructors
Dave Harrington
Ryan Montgomery
Isar Mostafanezhad
Mark Pitts
Sarah Sonnet
And Everyone Else Who Contributed To This Valuable Experience!
29
Thank you!
Any Questions?
30