web services reliable messaging and security paul fremantle vp of technology wso2
Post on 18-Dec-2015
215 views
TRANSCRIPT
Web Services Reliable Messaging and Security
Paul FremantleVP of Technology
WSO2
© WSO2, Inc, 2006
About me Co-founder and VP of Technology and Partnerships at
WSO2 The leading Open Source Web services company
Co-Chair of the OASIS WSRX Technical Committee Committer on Apache Synapse Member of the Apache Software Foundation Co-author of Building Web Services in Java 2nd Edition
http://bloglines.com/blog/paulfremantle Ex IBM Senior Technical Staff Member
developed the IBM Web Services Gateway Apache WSIF Apache Axis C/C++ JWSDL/WSDL4J – now Apache Woden
© WSO2, Inc, 2006
Contents Introduction to WS-Reliable Messaging Composing WSRM and Security Potential attacks on a reliable exchange Securing the Sequence Summary
© WSO2, Inc, 2006
WSRM Aims To help ensure that messages are
delivered to their destination Exactly Once In Order is the most common
requirement “Composable” with other specifications
and existing systems Doesn’t re-implement those aspects Has the ability to work with other standards
(security, transactions, addressing)
© WSO2, Inc, 2006
History
A specification designed by IBM, Microsoft, BEA and Tibco
Designed to compose with WS-Addressing, WS-Policy
Originally published in March 2003 Refreshed March 2004, Feb 2005 Submitted to OASIS June 2005
© WSO2, Inc, 2006
This presentation
Mainly based on the public review (CD4) of WSRM 1.1 (OASIS)
With appropriate comments on the Submission spec (WSRM 1.0)
© WSO2, Inc, 2006
WS-Reliability
An alternative specification proposed by Fujitsu, Hitachi, NEC, Oracle, Sun
Submitted to OASIS and standardized, currently at v1.1
One available implementation: RM4GS Reliable Messaging for Grid
Service A sample/reference implementation
© WSO2, Inc, 2006
Confusion
WS-R
WSRM
OASIS
WSRM committee
WS-RX committee
© WSO2, Inc, 2006
WS-RX TC members includerepresentatives of:
Actional Corporation Adobe Systems BEA Systems, Inc. BTplc Choreology Ltd. Ericsson Fujitsu Limited Hitachi, Ltd. IBM IONA Technologies JBoss Inc. Microsoft Corporation
NEC Corporation Nortel Networks Limited Novell Oracle Corporation SAP AG Sonic Software Corp. Sonoa Systems, Inc. Sun Microsystems Tibco Software Inc. webMethods, Inc. WSO2
While the TC is working from the submitted spec, it aims to meet the requirements of all the TC members within the scope of the charter
Introduction to WSRM
© WSO2, Inc, 2006
The core model
CreateSequence and CreateSequenceResponse
Messages allocated to the sequence Acknowledgement Resend of unacknowledged
messages TerminateSequence and
TerminateSequenceResponse
© WSO2, Inc, 2006
Simple example
© WSO2, Inc, 2006
WS-RM core model
© WSO2, Inc, 2006
Delivery Assurances Previous spec (1.0) explicitly called out the
delivery assurances: At least once At most once Exactly once (at least+at most) InOrder
1.1 allows the RMD to specify IncompleteSequenceBehaviour
DiscardEntireSequence DiscardFollowingFirstGap NoDiscard
© WSO2, Inc, 2006
Verbs SOAP Body:
CreateSequence/CreateSequenceResponse CloseSequence*/CloseSequenceResponse* TerminateSequence/
TerminateSequenceResponse* SOAP Header:
Sequence AckRequested SequenceAcknowledgement
* Indicates added since submitted to OASIS
© WSO2, Inc, 2006
CreateSequence<wsrm:CreateSequence ...> <wsrm:AcksTo ...>wsa:EndpointReferenceType</wsrm:AcksTo> <wsrm:Expires ...> xs:duration </wsrm:Expires> ? <wsrm:Offer ...> <wsrm:Identifier ...> xs:anyURI </wsrm:Identifier> <wsrm:Expires ...> xs:duration </wsrm:Expires> ? ... </wsrm:Offer> ? ...</wsrm:CreateSequence>
© WSO2, Inc, 2006
CreateSequenceResponse
<wsrm:CreateSequenceResponse ...> <wsrm:Identifier ...> xs:anyURI </wsrm:Identifier> <wsrm:Expires> xs:duration </wsrm:Expires> ? <wsrm:AcknowledgementInterval Milliseconds="xs:unsignedLong" />? <wsrm:Accept ...> <wsrm:AcksTo ...> wsa:EndpointReferenceType </wsrm:AcksTo> </wsrm:Accept> ? ...</wsrm:CreateSequenceResponse>
© WSO2, Inc, 2006
CreateSequence/Response Sent in the body AcksTo specifies the place where
acknowledgements are sent Expires is optional Offer is an optional way of initiating
a Sequence in the reverse direction Can respond with
CreateSequenceRefused fault
© WSO2, Inc, 2006
CloseSequence
<wsrm:CloseSequence ...> <wsrm:Identifier ...>xs:anyURI</wsrm:Identifier> ...</wsrm:CloseSequence>
Sent from the RMS to the RMD Added to help close down incomplete sequences After a sequence is closed, no new messages are
received But still responds to AckRequested
Allowing the final state of the sequence to be ascertained
© WSO2, Inc, 2006
TerminateSequence
<wsrm:TerminateSequence ...> <wsrm:Identifier ...> xs:anyURI </wsrm:Identifier> ...</wsrm:TerminateSequence>
Sent from the RMS to the RMD - indicates that the sequence will no longer be used
Normally sent when the sequence is complete – all sent messages have been acknowledged
Can be sent at any time
© WSO2, Inc, 2006
TerminateSequenceResponse
This was added by the TC to allow the RMS to know that the RMD successfully terminated the sequence
<wsrm:TerminateSequenceResponse ...> <wsrm:Identifier ...> xs:anyURI </wsrm:Identifier> ...</wsrm:TerminateSequenceResponse>
© WSO2, Inc, 2006
Sequence Header
The primary header – added to every message that is in a Sequence
Adds the sequence identifier and the message number
<wsrm:Sequence ...> <wsrm:Identifier ...> xs:anyURI </wsrm:Identifier> <wsrm:MessageNumber> wsrm:MessageNumberType </wsrm:MessageNumber>...</wsrm:Sequence>
© WSO2, Inc, 2006
AckRequested<wsrm:AckRequested ...> <wsrm:Identifier ...> xs:anyURI </wsrm:Identifier> ...</wsrm:AckRequested>
Allows a RMS to request an acknowledgement from the RMD
RMD must reply at once Must be a full acknowledgement (no Partial Answer
Mode)
© WSO2, Inc, 2006
SequenceAcknowledgement
<wsrm:SequenceAcknowledgement ...> <wsrm:Identifier ...> xs:anyURI </wsrm:Identifier>[ [ [ <wsrm:AcknowledgementRange ... Upper="wsrm:MessageNumberType" Lower="wsrm:MessageNumberType"/> + | <wsrm:None/> ] <wsrm:Final/> ? ]| <wsrm:Nack> wsrm:MessageNumberType </wsrm:Nack> + ] ...</wsrm:SequenceAcknowledgement>
A complete set of ranges May be Final – indicating no more messages will be accepted
Or None (may be Final) Or Nacks of individual messages
© WSO2, Inc, 2006
“Optimistic” model
Because the whole Sequence is acknowledged, it is possible to use WSRM with very little overhead over a sequence of messages
CreateSequence Messages flow with Sequence headers, plus occasional
acknowledgements TerminateSequence
© WSO2, Inc, 2006
Offer and Accept
Offered sequence is a way of cutting down the “back-and-forth”
There is no specific requirement that the Offered sequence is used for responses But usual behaviour
© WSO2, Inc, 2006
WSRM Policy
<wsrmp:RMAssertion wsp:Optional=true/>
The submitted spec had a number of parameters available in policy.
AcknowledgementInterval was moved to CS
Dynamic optimization of protocol timing is more effective than static parameters.
© WSO2, Inc, 2006
A two-way reliable interactionClient Server
CreateSequence + OfferCreateSequenceResponse(A) + Accept(B)
Request 1Response 1 + ackA1
Request 2 + ackB1
Request 3 + AckB1Response 3 + ackA123
Response 2ackB123
TerminateSequence(A)TerminateSequenceResponse + AckA123_Final
TerminateSequence(B)TerminateSequenceResponse + AckB123_Final
© WSO2, Inc, 2006
Anonymous clients
The protocol supports one-way reliability with anonymous clients May be reliable-in/unreliable-out acksTo will be anonymous Uses piggybacked acks
© WSO2, Inc, 2006
Anonymous clients and two-way
The WSRM1.1 specification has added a new verb to support this: MakeConnection
client
CS+Offer(seq2)
serv
er
CSR(seq1)+Accept
msg1(seq1)
response1(seq2) +ack(seq1)
msg2(seq1) + ack(seq2)
msg3(seq1) + ack(seq2)
response3(seq2) + ack(seq1)MakeConnection(seq2)
response2(seq2)
© WSO2, Inc, 2006
Uptake Still gated by lack of a “standard” Industry has definitely moved to WSRM
spec Examples:
Canadian government project built a solution on WSRM spec
A major Wall Street bank is looking at widespread adoption of WSRM
Ford and Daimler Chrysler are planning major implementations
Other groups such as RAMP, FIXprotocol, will profile RM
© WSO2, Inc, 2006
Composability with Security
WSRM is inherently designed to compose with security systems SSL/TLS WS-Security WS-SecureConversation
© WSO2, Inc, 2006
Basic Composability
WS-Security
WS-ReliableMessaging
WS-AtomicTransactions
Transactional SecureTransactional
SecureReliable
Transactional
SecureReliable
Reliable
© WSO2, Inc, 2006
Composability works!
Numerous demonstrations of WSRM + WSSecurity
WSRM and WSSecureConversation
WSO2’s Web Service App Server fully supports these combinations
© WSO2, Inc, 2006
Composability isn’t enough
Unfortunately, there is a problem Composability ensures that the
application can be secured But doesn’t secure the sequence
© WSO2, Inc, 2006
Why isn’t SSL or WSSec enough?
Party 1Authorized
RM enabled system
RM Sequence
Party 2Authorized
Attack
on S
equence
© WSO2, Inc, 2006
Sequence attacks are real Probably the most famous hack ever was a
sequence attack TCP Sequence Prediction Based on predicting the correct sequence
number for a packet and getting your packets in first
First identified by Robert Morris in 1985 but thought impractical and unlikely
Actually implemented by Kevin Mitnick against Tsutomu Shimomura on Christmas Day 1994
© WSO2, Inc, 2006
So what can we learn from this?
1. Don’t login on Christmas Day2. Protect your sequence
© WSO2, Inc, 2006
Integrity
Threats Any modification to any of the RM
protocol messages Countermeasures
Signing the headers To prevent headers being swapped,
Sequence headers should be signed with the body
© WSO2, Inc, 2006
Denial of Service Threat
Many unused CreateSequences Target an in-order sequence with
missing messages Countermeasures
Restrict sequence creation to authorized parties
Monitor sequences for DoS attacks Similar to secure TCP stacks
© WSO2, Inc, 2006
Sequence Spoofing Threats
Hijacking Injecting fake or wrong messages into a sequence Incorrectly acknowledging messages
Countermeasures Tie the Sequence to a security context Each side associates the sequence with
security credentials used during creation Only accepts Sequence Traffic from the
same entity
© WSO2, Inc, 2006
SSL/TLS example
RMS RMD
Create SSL/TLS session(s)
Send CreateSequence over TLS session
Sequence Traffic / TLS
Sequence Traffic / different TLS
Sequence Ack / TLS
Sequence Ack / different TLS
CreateSequenceResponse over TLS
© WSO2, Inc, 2006
Ensuring that the Sequence is secure
Add this header block<wsrm:UsesSequenceSSL
soap:mustUnderstand=“true” ... />
The mustUnderstand ensures that the RMD “agrees” to the contract Otherwise it should fault
© WSO2, Inc, 2006
Restrictions
SSL / TLS is only point-to-point Any intermediaries must be
trusted to maintain integrity The sequence must last no longer
than the SSL/TLS session
© WSO2, Inc, 2006
WS-Security
Provides SOAP message security Authentication Encryption Message and header digital
signatures
Message level security
© WSO2, Inc, 2006
SecureConversation
An extension to WS-Security that allows a secure context to be established between two parties
Potentially used together with WS-Trust
© WSO2, Inc, 2006
Secure Conversation
© WSO2, Inc, 2006
Benefits over just WS-Security
In WS-Security, a public key is used for every message
Highly inefficient
© WSO2, Inc, 2006
WS-SecureConversation in RM
<wsrm:CreateSequence>…
<wsse:SecurityTokenReference>...</wsse:SecurityTokenReference>
</wsrm:CreateSequence>
© WSO2, Inc, 2006
SecureConversation example
RMS RMD
Create WSSC secure context
Send CreateSequence including STReference
Sequence Traffic, signed headers and body
Sequence Traffic / different SecurityContext
Sequence Ack including STReference
Sequence Ack / different context
CreateSequenceResponse
© WSO2, Inc, 2006
Ensuring that this model is in place
<wsrm:UsesSequenceSTR soap:mustUnderstand=’true’/>
This forces the RMD to ensure that the sequence is secured using the supplied STR
© WSO2, Inc, 2006
WS-I RSP
Reliable Secure Profile Proposed by IBM, Ford,
DaimlerChrysler Aiming at creating a supplier network
based on secure reliable SOAP
WSRM 1.1 WS-SecureConversation 1.3
© WSO2, Inc, 2006
RX TC Status and Roadmap
60-day Public Review completed Aiming to have dealt with all
comments by the end of year Aiming for a standard Q1 2007
© WSO2, Inc, 2006
Implementations Microsoft Windows Comm Framework
WCF aka Indigo Supports the submitted spec
IBM WebSphere 6.1 “IBM intends to make a fully supported Web Services Reliable Messaging
solution available for WebSphere Application Server V6.1 early in 2007”
Apache Sandesha 1.0 Supports the submitted spec and CD3 of WSRM 1.1
WSO2 Tungsten Supported package of Apache Axis2, WSS4J,
Sandesha2
Plus implementations from: Systinet, Oracle, SAP, Sun, BEA
© WSO2, Inc, 2006
OASIS March Interop resultsIBM, MSFT, WSO2, SAP, Oracle
RMS\RMD
P1 P2 P3 P4 P5
P1 1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
P2 1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
P3 1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
P4 1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
P5 1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
1.1 1.2 1.3 1.4 2.1 2.2 2.3
© WSO2, Inc, 2006
Resources WSRX TC Homepage
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ws-rx
Submitted specification http://www.oasis-open.org/committees/download.php/16889/
Cover pages Reliable Messaging http://xml.coverpages.org/reliableMessaging.html
Apache Sandesha http://ws.apache.org/sandesha2/