300 likes | 445 Views
The Common Services Framework Project. Adding Security and Values to Heterogeneous Web Services Environment. Frederick Chong Software Design Engineer Microsoft. Kevin W. Wall Staff Software Engineer Qwest IT. CSF Project Background.
E N D
The Common Services Framework Project Adding Security and Values to Heterogeneous Web Services Environment Frederick Chong Software Design Engineer Microsoft Kevin W. Wall Staff Software Engineer Qwest IT
CSF Project Background • Joint work between .NET Enterprise Architecture Team, MCS and Qwest. • Multiple phases of the project. This presentation is about phase 1.
Business Drivers • Expose and resell existing internal Telco applications • Reuse same infrastructure for managing external applications hosted by third parties • Leverage management of web services through centralized interface • Provide common security solution to web services
Challenges • Exposing information and functionality in a modular, scalable, secure, and internet-friendly way have significant challenges: • Time-to-market • Scaling to the web • Lack of end-to-end development tools • Inability to interact between applications developed in heterogeneous platforms and environments
XML Web Services to the Rescue • Web Services provide loosely coupled applications and components designed for today’s heterogeneous computing landscape • Improves programmer productivity • Ease of deployment • Facilitates sharing and reuse of components • Communicating using Internet protocols and standards, such as SOAP and XML. • Web Services == ISDN ? ISee Dollars Now
Selling Web Services Web Services Owners/Providers Web Services Consumers Web Applications Users
Employing Web Services • Applications that employ web services in their architecture have to consider 3 phases of the web service life cycle: • Web service development • Web service deployment • Web service consumption • All phases involves several management challenges
Development Challenges Web Service developers are concerned with: • Securing web services • How to secure service component so that only authenticated & authorized users are able to consume them. • Managing versions • Manage versions of services components so that consumers are least impacted • Logging usage and health of services • Monitoring the health of a web service, and reporting on usage (volume, components accessed, …)
Deployment Challenges Web Service administrators are concerned with: • Security • Availability • Reliability • Recovery • Access • User Management • Consumption Analysis • Production Environment
Consumer Challenges Developers writing client applications that consume web services must address issues such as those faced by their counterparts developing the Web services. Issues that must be analyzed may include: • How many transactions/sec will the Web service be able to support? • Are the Web services secure? • Is the information sent encrypted? If so, how do I encrypt the information? • How reliable is the Web service? • Is there a way of knowing my consumption pattern?
Web Services in Qwest • Large number of custom WS have been developed and deployed • WS support increasingly sophisticated business processes. • Development and management of WS is continuously evolving in their complexities • Multiple technologies used: .NET, GLUE, WLS
Web Services Common Requirements • All web services developed have a common set of needs: • Security: • Authentication, Authorization, Confidentiality, Data Integrity • Global availability • Reliability • Version management • Metering, Monitoring and Logging • Interoperability of applications
Why CSF/WS Management? • In summary: • Need a set of capabilities to support increasingly sophisticated business processes enabled through web services • Address global availability, reliability, security, version management, metering, monitoring, deployment & consumption challenges • Ensure interoperability of applications • Lower development and deployment time and cost • Some of the needs can be met by current Web technologies, but others clearly need new tools
Logical View of the Common Services Framework Web Services Owners/Providers Web Applications Users Web Services Consumers Common Services Framework
Basic Flows in the Common Services Framework 4. Register Organization with CSF 3. Define access policies 5. Subscribe to Company A’s Web service 2. Register Web Service 1. Register Organization with CSF Company B (Web Service Consumer) Company A (Web Service Provider) CSF Administration Common Service Framework 7. Web service response CSF Runtime CSF Client Toolkit 6. Consume web service Secure Log Route
CSF Components • CSF Components include: • CSF Administration • Registration of web services • Creation and administration of security policies & privileges • Multiple Routing scenarios and versioning • Manage subscription to web service consumption • CSF Run Time • Web services security • Unified logging and monitoring • Static Routing and Dynamic Routing • CSF Client Tool kit • Standard libraries for WS client • Configuration driven • Enables client to act as a transparent forward proxy
Challenges Addressed by CSF Phase 1 • Web services security • Policy-driven routing of web service requests and responses • Web service traffic logging • Builds foundation for adding more value added services (Metering, Billing etc.)
CSF Security Requirements • Unilateral or mutual authentication • Access control at granularity of web service method • Session-level confidentiality • Session-level integrity • Including replay prevention
CSF Security Wishlist • End-to-end confidentiality and integrity • Non-repudiation of origin, of receipt, and delivery • Content inspection / scrubbing • Input validation • Canonicalization • Parameter manipulation
Web Services Security • Authentication • WS-Security • Password-based • X.509 public key certificates • End-to-end authentication • Basic authentication over HTTPS • Authorization • Role-based authorization and business rules
Web Services Security • Authentication and Authorization Implementations: • Qwest re-used their existing corporate LDAP Directory and RSA ClearTrust products • Could be easily replaced by Microsoft Active Directory and Windows Role-based Authorization Manager Framework
Web Services Security • Confidentiality • WS-Security • Symmetric and Asymmetric Key Encryption • End-to-end encryption • HTTPS • For clients that don’t speak WS-Security
Policy-based Routing • Goal is to enable service differentiation • Bundle different physical deployments of Web service into a single service • Use policy-based routing to enforce service differentiation • Routing policy could be based on any defined attributes: • Class of service. e.g. Silver, Gold, Platinum subscription • User privileges – VP vs. Manager vs. Contractor roles • Time of day etc.
Web Service Logging and Monitoring • Log web service requests, responses, security events, etc. • Logging level can be changed by configuration • Uses Windows Management and Instrumentation (WMI) • Use Microsoft Operations Manager (MOM) for Collection and Analysis • Foundation for building other value added services, e.g. Metering and Billing
CSF Runtime Architecture • Runtime features are pluggable and configurable • Input and Output pipeline message processing RSA ClearTrust Authentication RSA ClearTrust Authentication Logging using WMI Custom Business Rules Engine for Routing Policy RSA ClearTrust for Authorization CSF Runtime Engine Request Message Context Message Router SOAP Request Response Message Context Logging using WMI Soap Response
CSF Runtime Deployment Scenarios • As a Web service intermediary .NET Web Service Client b Web Service Intermediary .NET Web Service CSF Client Toolkit CSF Runtime Security Log Policy-based Routing J2EE Web Service Client J2EE Web Service
CSF Runtime Deployment Scenarios • As a chain of web service intermediaries • Distribute processing across intermediaries • AKA “The Message Bus” to some people .NET Web Service Client .NET Web Service Web Service Intermediary Web Service Intermediary CSF Client Toolkit • CSF Runtime • Authenticate • Route • CSF Runtime • Authorize • Log • Route J2EE Web Service Client J2EE Web Service
CSF Runtime Deployment Scenarios • “In-Proc” Model • End-to-end processing .NET Web Service .NET Web Service Client • CSF Runtime • Authenticate • Encrypt/Decrypt • Authorize • Log • CSF Runtime • Authenticate • Encrypt/Decrypt
CSF Runtime Deployment Scenarios Summary • Flexibly combine all models .NET Web Service Client . NET Web Service CSF Runtime CSF Runtime Web Service Intermediary J2EE Web Service J2EE Web Service Client Web Service Intermediary CSF Runtime CSF Runtime
Conclusions • Multiple challenges in Web services management • Common Service Framework: • Administrative Framework • Registering web services and consumers • Managing policies for security, routing etc. • Runtime Framework • Enforcing web service management policies • Easy to add more management enforcement capabilities • Flexible to support many deployment models