WS-Security Practical lessons from the frontline with the Government

Download Report

Transcript WS-Security Practical lessons from the frontline with the Government

WS-Security
Practical lessons from the
frontline with the Government
Gateway
Government Gateway Overview
Jerry Fishenden
Industry Strategy Consultant
Government and Education
Microsoft UK
Before the Government Gateway
Regional and local government
National assemblies
Citizen
Central government departments
Broad Identity (ID) Management and
Messaging/Transaction Issues
massively scalable – national populations range from <1m
to >c.1bn
needs to tackle:
authentication (we know who the person is)
authorisation (we know they are entitled to use the service)
the capacity they’re operating in (ie. their role)
varied credential types (userID/password, digital certificate, bioauthentication) issued potentially by various (trusted) parties
needs to support delegated rights:
to third parties (agents / intermediaries acting on behalf of people)
to assistants within an organisation (subsets of user rights)
reliable, secure, two-way transactional sync and async
messaging between citizens, businesses, intermediaries
and government
The Government Gateway
Provides the UK Government’s eservices agenda with:
cross-government identity management
authentication
authorisation
delegated rights and roles
for citizens, businesses, intermediaries and
government employees
messaging and transaction facilities for:
citizen-to-government (C2G)
business-to-government (B2G)
government-to-government (G2G)
Gateway Standards are e-GIF
standards
Metadata Framework
Security Framework
Data Interoperability (XML)
Management & Operations
the UK has adopted open standards as the way to underpin its eGovernment programme. Key elements of this include:
metadata framework: Dublin Core / W3C Resource Description
Framework
security framework: ISO/IEC 17799:2000 information technology,
code of practice for information security management, Common
Criteria
data interoperability: IETF, W3C, WS-I, OASIS interoperability
standards (eg. XML, SOAP)
management and operations: OGC ITIL
these standards – published in the e-Government Interoperability
Framework (eGIF) underpin the Government Gateway’s technical
design
Government Gateway Overview
Government Gateway
ID Management
Channels &
Devices
(Authentication &
Authorisation)
Mobiles
Phones
authentication /
authorisation
authentication /
authorisation
PC
Portals
Citizen
Internet
document
submissions /
data
interactions
Local
Authority
Government Gateway
Messaging &
Interoperability
(Transaction Engine)
IR
PDAs
TV
Call
Centres
etc
DWP
Gateway Overview
Gateway
Department
Local
Authority
PC & third
party
applications
Portal Applications
A&A web service
the Government Gateway is designed as a piece of
‘middleware’ and exposes its authentication /
authorisation functionality through programmatic
interfaces built using web services
the authentication / authorisation web service
interface defines a variety of methods for
authentication and authorisation of users
is uses open standards WS-*: WS-Security, WSTrust, WS-Policy
the model is designed to provide the basis for a
single sign-on (SSO) framework suitable for both
web services and web sites
it has over 4m user accounts and is designed to
scale to 60m+
Government Gateway Transaction
Engine
provides a single, consistent point of interaction for all
citizen to government
business to government
government to government
online services
XML in/out – uses UK Government GovTalk
reliable end-to-end messaging from point of origination to
delivery
uses authentication and authorisation engine to validate
messages
validates, authenticates and routes XML messages
between connected parties (C2G, B2G, G2G)
calls R&E (A&A) for authentication and authorisation
provides audit, message tracking
all interfaces use open interoperability standards – XML,
HTTP, SOAP
handling millions of messages per annum (tax returns,
claim forms, etc)
Live examples of Gateway-SSO
sites and applications
The Government Gateway
James Brown
[email protected]
Senior Developer
Solidsoft
Overview
Why use WS Standards?
What are the WS Standards?
Microsoft WSE 2.0
Lessons learnt
The Government Gateway and
Web Services
Existing SOAP interface
Need to replicate all the functionality of the
UI and more as a Web Service
Version 1.65
Requirements for Web Service
Adhere to Open Standards
Supported by a wide range of companies
Easy to implement
Microsoft WSE 2.0
Easy to develop against
Toolkits available from multiple vendors
Future-proof
Ever increasing list of standards
More companies are joining the process
Future Microsoft products are utilizing the
standards
What are the WS Standards?
Too many to list here
Composability, just use the WS-* standards that
you need
How do they manifest themselves
All contained in the Soap Envelope
Header
Body
Encapsulates everything required in a single XML
document
All using current technologies and practices
WS-I
www.ws-i.org set up by Microsoft and IBM
Provide clarity on specifications
Publish guidelines
Coordinate specs
Sample Applications
Test Tools
Special Interest Groups
WS-I
“If you're an infrastructure player and don't
buy into the WS-I group, don't even show up we won't do business with you.”
Merrill Lynch CTO John McKinley
http://news.com.com/2009-1001-983559.html
WS-Addressing
What is WS-Addressing?
Basic problems that we face
How do we get a SOAP message from A-B
How do we deal with reply's and errors
These start to become real problems when
disparate systems are communicating
How is this problem solved?
WS-Security
What is WS-Security?
WS-Security describes enhancements to
SOAP messaging to provide:
Message Integrity
Message Confidentiality
Single Message Authentication
Tokens
Assert Claims
Username
Public Keys
Proof of Possession
Passwords
Private Keys
Tokens
Username Tokens
Binary Security Tokens
X509 Tokens
Kerberos Tokens
Custom XML Tokens
SAML Tokens
Gateway Tokens
WS-Trust
What is WS-Trust?
Defines the means by which a service can
delegate the authentication of credentials to
another party
Scope of Trust
Client presents a
username token and
requests a custom
token
STS
STS returns a
CustomToken
Scope of Trust
User
Client presents custom token with each
SOAP function call
Gateway
Gateway Token
<GatewayToken>
<Created>2004-08-22T17:35:18Z</Created>
<Expires>2004-08-22T21:35:18Z</Expires>
<Usage>Standard<Usage>
<Opaque>
<CredentialIdentifier>5KU74UF..</CredentialIdentifier>
Lksjhvcnf7842jmnrfyunwe9yu378yt6943y3e…
</Opaque>
<tSchemeLevel>1</tSchemeLevel>
</Token>
<Nonce>ft45t……</Nonce>
<hMAC>ygk1…….<hMAC>
</Opaque>
</Token>
WS-Policy
What is WS-Policy?
A way to advertise and enforce the policies of
your site
Message Age
Types of tokens
Lifetime of tokens
Which elements need to be signed
Complex: <Or>, <ExactlyOne>
XML Based
Send-side and Receive-side
Microsoft Web Services
Enhancements 2.0
WSE
WSE 2.0
Designed to bring advanced Web Services technologies
based on standard protocols to developers
Integrates with Visual Studio .NET and .NET Framework
What do you get with WSE?
WS-Addressing
WS-Security
WS-Policy
WS-SecurityPolicy
WS-Trust
WS-SecureConversation
WS-Referral
WS-Attachments
Interoperability
WSE 2.0
Applications can be hosted in multiple environments
ASP.NET
Winforms
NT Services
Multiple Transports
Raw tcp
http
Low Level API’s
How does WSE work?
SoapContext
Custom
Policy
Referral
Security
Trace
Security
Token
Manager
Custom
Filters
User Code
How does WSE work?
SoapContext
Security
Token
Manager
Trace
Security
Referral
Custom
Filters
Policy
Custom
User Code
Security Token Managers
UsernameTokenManager
X509TokenManager
Custom SecurityTokenManager
Simple Web Service
Government Gateway and WSE
Custom Filters
EIF Tracing
Check on Custom Token count (added in WSE2.0 sp1)
CustomSecurityTokenService
Distributes GatewayTokens
UsernameTokenManager
Validates Username/Password against database
X509TokenManager
Validates signature and certificate
CustomTokenManager
Used to validate GatewayTokens
Policy files
Lessons Learnt…
WSE Config files
No room for error
Mainly an issue early on in the project
Certificates
Permissions
.cer files
Performance
Time difference between servers
Servers on a domain do not sync accurately enough
Lessons Learnt…
Interoperability
Use SOAP as a message delivery mechanism not
RPC
Design the message XML first
Specifications
Still evolving
Not all are ratified
Start-up times
Easy to miss in testing
Web farms make it worse
Resources
www.msdn.microsoft.com/webservices
Public Groups -
microsoft.public.dotnet.framework.webservices.enhancements
Blogs
Hervey Wilson
Simon Guest
Aaron Skonnard
Sample applications ship with WSE 2.0
Resources
Reflection
http://www.aisto.com/roeder/dotnet
Tools with WSE 2.0
Policy editors
Config editors
Certificate manager
Books
Expert Service-Orientated Architecture in C#:
Using the Web Services Enhancements 2.0
(APress)
Secure Code 2 (Microsoft Press)
© 2003 Microsoft Limited. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary .