Attachments\Products\PortSight Secure Access\Training.ppt

$Page 1: Attachments\Products\PortSight Secure Access\Training.ppt$
1

w w w. P o r t S i g h t . c o m

PortSight PortSight SecureAccess 2.3SecureAccess 2.3

Training for developers and system Training for developers and system administratorsadministrators

October 18October 18thth, 2005, 2005

2

AgendaAgenda IntroductionIntroduction Features in DetailFeatures in Detail System Installation and System Installation and

MaintenanceMaintenance Securing Your ApplicationsSecuring Your Applications

3

IntroductiIntroductionon

4

What is SecureAccess?What is SecureAccess? Microsoft .NET component for Microsoft .NET component for

enterprise solution developers that enterprise solution developers that allows them to secure and allows them to secure and personalize: personalize: ASP.NET applications and Web ASP.NET applications and Web

contentcontent Web Services Web Services WinForm applicationsWinForm applications

You can easily check user names and You can easily check user names and passwords, control access rights and passwords, control access rights and track user activities. track user activities.

It can be integrated with legal user It can be integrated with legal user databases and with Active Directory.databases and with Active Directory.

5

6

Benefits (1)Benefits (1)PortSight Secure Access doesn’t replace PortSight Secure Access doesn’t replace

the .NETthe .NETFramework or Windows security, but it Framework or Windows security, but it

extends itextends itand makes its management and use and makes its management and use

easier.easier.

Offers a comprehensive set of security Offers a comprehensive set of security mechanisms including mechanisms including user roles, permissions, user roles, permissions, auditing and delegation of administratioauditing and delegation of administration.n.

Reuse Existing User ProfilesReuse Existing User Profiles Start Immediately with Short Learning CurveStart Immediately with Short Learning Curve

7

Benefits (2)Benefits (2) Supports both Forms and Windows Supports both Forms and Windows

authentication.authentication. Enable Self-Service and Save on Enable Self-Service and Save on

SupportSupport Reduce Your Development TimeReduce Your Development Time Keep the Identities ManageableKeep the Identities Manageable User Management You Already KnowUser Management You Already Know Organizational Units and Nested Organizational Units and Nested

GroupsGroups

8

Benefits (3)Benefits (3) Unlimited Number of Users and ApplicationsUnlimited Number of Users and Applications Better Insight with Permission MatrixBetter Insight with Permission Matrix Easier Management with DelegationEasier Management with Delegation User Preferences without CookiesUser Preferences without Cookies User Activity AuditingUser Activity Auditing Import from External DirectoriesImport from External Directories (AD, ODBC) (AD, ODBC) Functionality Exposed through Web ServicesFunctionality Exposed through Web Services Multi-Tier Architecture for Better ScalabilityMulti-Tier Architecture for Better Scalability

9

What’s new in SE 2.3?What’s new in SE 2.3? Active Directory, Windows NT domain Active Directory, Windows NT domain

and ODBC integrationand ODBC integration Enhanced support for securing Web Enhanced support for securing Web

ServicesServices Authentication and authorization Web Authentication and authorization Web

ServiceService The Application Configuration WizardThe Application Configuration Wizard Added support forAdded support for Web Farm Web Farmss. . Permission types can be inherited from Permission types can be inherited from

application to application parts.application to application parts. Extended the Developer's GuideExtended the Developer's Guide Fixed bugsFixed bugs

10

Secure Access EditionsSecure Access Editions StandardStandard EnterpriseEnterprise

Includes import from external data sources.Includes import from external data sources.

CommunityCommunity For Free!For Free! Intended to be used for smaller projects.Intended to be used for smaller projects. It's limited to 100 users accounts.It's limited to 100 users accounts. Doesn't support organizational units and Doesn't support organizational units and

permissionspermissions

11

Questions?Questions?

12

Features in Features in Detail Detail

13

User ManagementUser Management PortSight Secure Access includes a PortSight Secure Access includes a

comfortable web-based user management comfortable web-based user management interface.interface.

It allows you to manage user accounts, set It allows you to manage user accounts, set users' properties, passwords and organize users' properties, passwords and organize users into (nested) groups, OUs and roles. users into (nested) groups, OUs and roles.

Storing user information, including job Storing user information, including job position, contact and shipping address, etc.position, contact and shipping address, etc.

Storing unlimited number of user Storing unlimited number of user preferences, such as preferred language, preferences, such as preferred language, colors, layout, etc. colors, layout, etc.

The concepts are very similar to those from The concepts are very similar to those from Microsoft Windows.Microsoft Windows.

14

Membership in Groups Membership in Groups and OUsand OUs

A user can be member of any A user can be member of any number of user groups, number of user groups, organizational units and roles. organizational units and roles.

Groups, units and roles can be Groups, units and roles can be nested. nested.

Organizational units are used to Organizational units are used to describe the hierarchical structure describe the hierarchical structure or your organization.or your organization.

You can easily check user's You can easily check user's membership in groups and units. membership in groups and units.

15

Management of Management of ApplicationsApplications

Applications represent your real Applications represent your real application you wish to secure with Secure application you wish to secure with Secure AccessAccess

You can use these "virtual applications" to You can use these "virtual applications" to specify roles and permissions for accessing specify roles and permissions for accessing them and then check these permissions them and then check these permissions from within your application codefrom within your application code

Each application can be split into several Each application can be split into several application parts (modules) that allow you application parts (modules) that allow you to define permissions with higher to define permissions with higher granularitygranularity

The list of your web applications is also The list of your web applications is also stored in the PortSight Secure Access stored in the PortSight Secure Access catalog.catalog.

16

Role-Based securityRole-Based security Each application can have several Each application can have several

associated user roles defined – e.g. associated user roles defined – e.g. “Editor”, “Chief-Editor”, “Designer” “Editor”, “Chief-Editor”, “Designer” and “Administrator”. and “Administrator”.

You can assign users, groups or You can assign users, groups or organizational units to a particular organizational units to a particular role.role.

You can later check in your You can later check in your application code if current user is in application code if current user is in the specified role. the specified role.

17

Resource-Based Security Resource-Based Security (Permission Matrix)(Permission Matrix)

Permission types represent rights you grant to Permission types represent rights you grant to users - e. g. "create", "approve" or "delete".users - e. g. "create", "approve" or "delete".

The permissions are defined on application or The permissions are defined on application or application part levelapplication part level

For example you may define application parts For example you may define application parts NewsNews, , ArticlesArticles and and LinksLinks section for a section for a Web PortalWeb Portal application and define permissions for each of application and define permissions for each of them e.g. them e.g. ReadRead, , EditEdit and and ApproveApprove. .

Now you simply grant these user permissions Now you simply grant these user permissions for particular application or its part in the for particular application or its part in the Permission Matrix; permissions could be Permission Matrix; permissions could be granted to any operator (users, user groups, granted to any operator (users, user groups, organizational units or roles) organizational units or roles)

You can later check in your application code if You can later check in your application code if current user has a requested permission current user has a requested permission granted. granted.

18

Securing Web ContentSecuring Web Content SA allows you to control access to SA allows you to control access to

the content of your Web site, such the content of your Web site, such as media files, documents, files for as media files, documents, files for download and others. download and others.

It allows you to check user’s name, It allows you to check user’s name, membership or permissions and membership or permissions and decide if the user is allowed to open decide if the user is allowed to open the document. the document.

You can specify the content using You can specify the content using wild cards, such as “/images/*.jpg”.wild cards, such as “/images/*.jpg”.

19

AuditingAuditing PortSight Secure Access allows you PortSight Secure Access allows you

to log user actions in its auditing log. to log user actions in its auditing log. The log contains information about The log contains information about

user who made the action and the user who made the action and the accessed resource, which gives you a accessed resource, which gives you a good overview of possible attacks, good overview of possible attacks, attempts to access restricted zones attempts to access restricted zones as well as changes made to your data. as well as changes made to your data.

You can also store your custom You can also store your custom information about event, such as information about event, such as information about data being information about data being accessed or changed. accessed or changed.

20

DelegationDelegation Group admin (OU admin, App admin for Group admin (OU admin, App admin for

roles and permissions) can delegate roles and permissions) can delegate management of members of particular management of members of particular group, role or OU, as well as management group, role or OU, as well as management of permissions for particular applications of permissions for particular applications to other users. to other users.

These privileged users can then view the These privileged users can then view the objects they are responsible for and objects they are responsible for and modify their members (or permissions in modify their members (or permissions in case of application parts and case of application parts and applications). applications).

They are not allowed to modify their They are not allowed to modify their properties, create new ones or delete properties, create new ones or delete existing ones.existing ones.

21

Storing User PreferencesStoring User Preferences Store user preferences (e.g. theme, Store user preferences (e.g. theme,

culture) in the database instead of cookies. culture) in the database instead of cookies. You can define any number of preferences.You can define any number of preferences. Each object, such as user, group, OU, Each object, such as user, group, OU,

application, application part, role or application, application part, role or directory port can have an unlimited directory port can have an unlimited number of properties defined in their number of properties defined in their settings sections. settings sections.

If you need to define a new or modify an If you need to define a new or modify an existing property, expand the existing property, expand the Custom Custom PropertiesProperties item in the main menu. item in the main menu.

Access to custom properties is generally Access to custom properties is generally slower than to custom fields. slower than to custom fields.

22


23

System Installation and System Installation and MaintenanceMaintenance

24

System RequiremenetsSystem Requiremenets DeploymentDeployment

Windows 2000, XP or 2003 Server Windows 2000, XP or 2003 Server .NET Framework 1.0 or 1.1.NET Framework 1.0 or 1.1 IIS 5.0+IIS 5.0+ SQL Server 2000 or MSDE configured for SQL Server 2000 or MSDE configured for

"Mixed Mode Security”"Mixed Mode Security” MDAC 2.6+MDAC 2.6+ Internet Explorer 6.0+Internet Explorer 6.0+

DevelopmentDevelopment Microsoft Visual Studio .NET 2002 or Microsoft Visual Studio .NET 2002 or

20032003

25

Installing and Setting upInstalling and Setting up Run the installer on your Web Run the installer on your Web

server. server. Secure Access installation wizard Secure Access installation wizard

will guide you through the will guide you through the installation process.installation process.

After installing Secure Access it is After installing Secure Access it is necessary to create a new PortSight necessary to create a new PortSight Secure Access catalog (user Secure Access catalog (user database) and deploy the database) and deploy the administration interface.administration interface.

26

System Backup and System Backup and RecoveryRecovery

All system data are stored in the SQL All system data are stored in the SQL Server database.Server database.

Use standard tools to regularly Use standard tools to regularly backup your Secure Access database. backup your Secure Access database.

Backup the settings of the Backup the settings of the administration application user administration application user interface:interface: C:\Inetpub\wwwroot\SecureAccess\Web.config C:\Inetpub\wwwroot\SecureAccess\Web.config C:\Program Files\PortSight Secure Access\2.3\C:\Program Files\PortSight Secure Access\2.3\

Catalog Manager\Catalogs.xmlCatalog Manager\Catalogs.xml C:\inetpub\wwwroot\SecureAccess\PhotosC:\inetpub\wwwroot\SecureAccess\Photos

The paths may be different.The paths may be different.

27

Catalog Manager toolCatalog Manager tool Use this tool for managing SA Use this tool for managing SA

Catalogs:Catalogs: creating new catalogcreating new catalog registering an existing catalogregistering an existing catalog unregistering a catalogunregistering a catalog modifying catalog propertiesmodifying catalog properties opening Web-based user interface of the opening Web-based user interface of the

catalog using IEcatalog using IE configuring your ASP.NET application to configuring your ASP.NET application to

integrate with SA integrate with SA import users, groups and OU from import users, groups and OU from

various data sources (e.g. Active various data sources (e.g. Active Directory, ODBC, …)Directory, ODBC, …)

28

Creating a New User Creating a New User Catalog (1)Catalog (1)

Use Catalog Manager for creating Use Catalog Manager for creating new catalog or registering an new catalog or registering an existing catalog before you start existing catalog before you start using Secure Access.using Secure Access.

Secure Access catalog consists of Secure Access catalog consists of database and of Web-based database and of Web-based administrative user interface.administrative user interface.

One instance of Web-based One instance of Web-based administrative user interface can administrative user interface can manage only one catalog manage only one catalog (database).(database).

29

Creating a New User Creating a New User Catalog (2)Catalog (2)

New Catalog Wizard will guide you through New Catalog Wizard will guide you through the entire process of creating new catalog. the entire process of creating new catalog.

During this process it is necessary to During this process it is necessary to specifyspecify SQL Server where the catalog will be storedSQL Server where the catalog will be stored database namedatabase name specify if you want to deploy the user interfacespecify if you want to deploy the user interface specify catalog ID that will uniquely identify this specify catalog ID that will uniquely identify this

instance of SA catalog among other catalogsinstance of SA catalog among other catalogs It's highly recommended that you change It's highly recommended that you change

the default administrator's password the default administrator's password immediately after creating the new catalog.immediately after creating the new catalog.

30

Import Users, Groups and Import Users, Groups and OUs (1)OUs (1)

This feature is only available in the This feature is only available in the Enterprise Edition.Enterprise Edition.

Use Catalog Manager for managing the Use Catalog Manager for managing the import.import.

You can import users, groups and OUs You can import users, groups and OUs from various data sources: LDAP, from various data sources: LDAP, Windows domain and ODBC-enabled Windows domain and ODBC-enabled databases. databases.

You can also combine information from You can also combine information from several data sources into one SA catalog.several data sources into one SA catalog.

The Directory Port Wizard will guide you The Directory Port Wizard will guide you through the entire process of setting up through the entire process of setting up the import parameters.the import parameters.

31


Use Directory Port Wizard to:Use Directory Port Wizard to: map source fields to the SA fieldsmap source fields to the SA fields choose objects to be imported or filter out choose objects to be imported or filter out

objects not to be importedobjects not to be imported specify whether the objects should be specify whether the objects should be

imported including their membershipimported including their membership specify whether the import should be specify whether the import should be

started manually or periodicallystarted manually or periodically You can use support for ODBC data You can use support for ODBC data

sources to import objects from any sources to import objects from any application. You only need to prepare application. You only need to prepare the input data to be in certain format.the input data to be in certain format.

32


Mapping properties between source/target Mapping properties between source/target object:object:

The target field you map to AR_ObjectGUID The target field you map to AR_ObjectGUID must be used only by one directory port. must be used only by one directory port.

The target fields may only be of string type. The target fields may only be of string type. The provider doesn't consider if the The provider doesn't consider if the

imported account is disabled or not in this imported account is disabled or not in this version. version.

There are the following default source There are the following default source fields:fields: AR_ObjectGUID - a unique identifierAR_ObjectGUID - a unique identifier AR_Login - loginname of the imported userAR_Login - loginname of the imported user AR_ObjectAlias - a unique propertyAR_ObjectAlias - a unique property AR_ObjectName – an object name (full name)AR_ObjectName – an object name (full name)

33

Using Windows Using Windows AuthenticationAuthentication

After you deploy the SA Web user interface After you deploy the SA Web user interface it uses forms authentication by default.it uses forms authentication by default.

When switched to Windows authentication, When switched to Windows authentication, it compares the NT login name of the it compares the NT login name of the current user with the SA user name, e.g. current user with the SA user name, e.g. CZ\PetrPiCZ\PetrPi

In the Web.config replace the whole In the Web.config replace the whole authentication section with following text: authentication section with following text: <authentication mode="Windows" /> <authentication mode="Windows" />

Launch IIS console and for the SA Web Launch IIS console and for the SA Web user interface disable Anonymous access, user interface disable Anonymous access, Digest authentication, Basic authentication Digest authentication, Basic authentication and enable Integrated Windows and enable Integrated Windows authentication.authentication.

34

Securing Secure AccessSecuring Secure Access Secure Access Catalog Manager stores Secure Access Catalog Manager stores

the passwords you enter within the passwords you enter within encrypted XML file encrypted XML file catalogs.xmlcatalogs.xml that that contains information about registered contains information about registered catalogs. Since encryption mechanism catalogs. Since encryption mechanism is not very strong you should allow only is not very strong you should allow only administrators to access this file. administrators to access this file.

SA Catalog Manager distributes the SA Catalog Manager distributes the passwords (database connection string) passwords (database connection string) into into Web.configWeb.config files in a non-encrypted files in a non-encrypted form, which is a common way most form, which is a common way most developers are used to. Thus, you developers are used to. Thus, you should allow only administrators and should allow only administrators and developers to access this file.developers to access this file.

35

Installating SA on a Web Installating SA on a Web FarmFarm

PortSight Secure Access 2.3 was tested PortSight Secure Access 2.3 was tested with Microsoft Application Center 2000 with Microsoft Application Center 2000 SP1SP1 Set up the Microsoft Application Center. Set up the Microsoft Application Center. Install Secure Access user interface on the Install Secure Access user interface on the

cluster in the Web Farm using the Catalog cluster in the Web Farm using the Catalog Manager. Manager.

You must use either StateServer or SQLServer You must use either StateServer or SQLServer session mode, not InProc session mode. session mode, not InProc session mode. See ASP.NET documentation for more details. See ASP.NET documentation for more details.

Make sure that the Make sure that the web.configweb.config (or (or machine.configmachine.config) file of the Secure Access user ) file of the Secure Access user interface or of your application contains the interface or of your application contains the same machine key on all computers in the Web same machine key on all computers in the Web farm.farm.

36


37

Securing Your Securing Your ApplicationsApplications

38

Administration Web Administration Web InterfaceInterface

Secure Access is delivered with Web-Secure Access is delivered with Web-based administration console for based administration console for managing objects and permissions, i.e. managing objects and permissions, i.e. users, groups, OUs and secured users, groups, OUs and secured applications.applications.

This console is This console is shippedshipped with full-source with full-source codecode,, so thanks to this could be easily so thanks to this could be easily customized and integratedcustomized and integrated,, andand its its parts reused in target applicationparts reused in target applicationss..

39

Application Application Configuration WizardConfiguration Wizard

Catalog ManagerCatalog Manager includes a wizard that includes a wizard that helps the developers to integrate Secure helps the developers to integrate Secure Access with their WebForm solutionsAccess with their WebForm solutions Supports both C# and VB.NET projectsSupports both C# and VB.NET projects Windows and Forms authenticationWindows and Forms authentication Modifies the following files for you:Modifies the following files for you:

IIS SettingsIIS Settings Global.asaxGlobal.asax Web.configWeb.config Project fileProject file Adds Secure Access User Controls to the projectAdds Secure Access User Controls to the project

40

Secure Access usage Secure Access usage scenariosscenarios (1) (1)

Authentication allows you to restrict Authentication allows you to restrict access to your application only to access to your application only to authenticated users. The users have to authenticated users. The users have to provide their login name and password. provide their login name and password. PortSight Secure Access provides two PortSight Secure Access provides two ways of authentication: ways of authentication: Forms authenticationForms authentication - user must enter - user must enter

login name and passwordlogin name and password Windows authenticationWindows authentication - user must be - user must be

logged in a domainlogged in a domain You can also protect only particular You can also protect only particular

part of your application. part of your application.

41

Secure Access usage Secure Access usage scenariosscenarios (2) (2)

You may You may uuse Secure Access forse Secure Access for AuthenticationAuthentication – verifying user’s identity, – verifying user’s identity,

usually by providing user name and passwordusually by providing user name and password AuthorizationAuthorization – checking user’s roles and – checking user’s roles and

access rightsaccess rights AuditingAuditing - storing user actions in its auditing - storing user actions in its auditing

loglog Storing user settingsStoring user settings – store any number – store any number

settings, such as preferred culture, colors, settings, such as preferred culture, colors, default values within the user’s or group’s default values within the user’s or group’s profileprofile

42

AuthenticationAuthentication You may explicitly verify the user’s You may explicitly verify the user’s

indentity by checking the provided indentity by checking the provided user credentials against the Secure user credentials against the Secure Access database.Access database.

[VB.NET] [VB.NET]

authenticationResult = _authenticationResult = _

arCN.Authenticate("JohnF",_ "p&ss2vord")arCN.Authenticate("JohnF",_ "p&ss2vord")

43

Authorization – Role based Authorization – Role based securitysecurity

Roles represent typical users – e.g. Roles represent typical users – e.g. Administrator, Editor, Manager. You Administrator, Editor, Manager. You can define any number of roles for your can define any number of roles for your application and assign users to these application and assign users to these roles. Then you can simply check in roles. Then you can simply check in your code if current user is allowed to your code if current user is allowed to use your applicationuse your application..

[VB.NET] [VB.NET] If ARHelper.IsInRole("JohnD", If ARHelper.IsInRole("JohnD", ____ "Reports.Manager") Then ..."Reports.Manager") Then ...

44

Authorization – Authorization – PermissionsPermissions

Permission-based security offers a more Permission-based security offers a more flexible solution for controlling access. You flexible solution for controlling access. You can define any number of permission can define any number of permission types, such as Read, Modify, Delete or types, such as Read, Modify, Delete or Approve. Then you can grant default Approve. Then you can grant default permissions to roles. When business logic permissions to roles. When business logic changes later, you can easily modify the changes later, you can easily modify the permission matrix without recompiling the permission matrix without recompiling the applicationapplication..

[VB.NET] [VB.NET]

If ARHelper.IsAuthorized("JohnD", _ If ARHelper.IsAuthorized("JohnD", _ "Reports. Viewer", "Read") Then ... "Reports. Viewer", "Read") Then ...

45

Auditing TrailAuditing Trail An important feature of the application An important feature of the application

security is auditing of user activities. It can security is auditing of user activities. It can help you detect attacks and attempts at help you detect attacks and attempts at unauthorized access to secret data and unauthorized access to secret data and also keep track of data modifications. also keep track of data modifications. SSome lawsome laws may even may even require the auditing require the auditing trail. trail.

[VB.NET] [VB.NET]

ARHelper.Log("JohnD", "User changed amount ARHelper.Log("JohnD", "User changed amount to USD 5.90„to USD 5.90„, , __"WorkReports.TravelExpenses") "WorkReports.TravelExpenses")

46

Storing User Settings Storing User Settings Secure Access allows you to store any Secure Access allows you to store any

number of user settings, such as number of user settings, such as preferred culture, colors, default values preferred culture, colors, default values etc. in the Secure Access database.etc. in the Secure Access database.

[VB.NET] [VB.NET]

arcn.GetUserByLogin(User.Identity.Name)._arcn.GetUserByLogin(User.Identity.Name)._SetPropertyValue(_SetPropertyValue(_

"preferred_color",_"preferred_color",_

“ “darkBluedarkBlue”)”)

47

How to use Secure How to use Secure Access forAccess for

Securing Web ApplicationsSecuring Web Applications Securing WinForm ApplicationsSecuring WinForm Applications Securing Web ServicesSecuring Web Services

It's important to understand that PortSight It's important to understand that PortSight Secure Access is a component targeting Secure Access is a component targeting developers, not a security application developers, not a security application intended for immediate use by end users. intended for immediate use by end users.

48

Securing Web Securing Web ApplicationsApplications

Extends the existing authentication Extends the existing authentication mechanisms.mechanisms.

Secure Access is delivered with Secure Access is delivered with ASP.NET user controls (available with ASP.NET user controls (available with full source code)full source code)

49

Securing WinForm Securing WinForm ApplicationsApplications

The connection string to the DB could be The connection string to the DB could be either stored in .config file or lately set from either stored in .config file or lately set from within the code, if you need to hide it from within the code, if you need to hide it from the usersthe users

Client applications can improve overall Client applications can improve overall security by connecting to the Secure Access security by connecting to the Secure Access via Web Services ARWSWebService. Secure via Web Services ARWSWebService. Secure Access is delivered with WinForm controls Access is delivered with WinForm controls that simplifies this integration: that simplifies this integration: ARWSLogonCtrlARWSLogonCtrl –for –for checking provided login checking provided login

name and passwordname and password ARWSSetPasswordCtrlARWSSetPasswordCtrl –f –for changing or changing

passwordspasswords

50


Communication with ARWebService could be Communication with ARWebService could be secured by the following WS-Security secured by the following WS-Security methods and their combinations:methods and their combinations: X.509 encryptionX.509 encryption - Asymmetric encryption - Asymmetric encryption

encodes the content of the SOAP message and encodes the content of the SOAP message and thus protects it against tapping during its thus protects it against tapping during its transmission. transmission.

X.509 signatureX.509 signature - - Digital signatures help to Digital signatures help to verify the trustworthy of the partner and of verify the trustworthy of the partner and of course verify that the message has not been course verify that the message has not been altered since it was signedaltered since it was signed

Symmetric encryptionSymmetric encryption - - It may be used together It may be used together with X.509 certificates for strengthening the with X.509 certificates for strengthening the security or it can be used as a standalone security security or it can be used as a standalone security mechanism where X.509 certificates cannot be mechanism where X.509 certificates cannot be used for some reasonused for some reason

51


ARWSWebServiceARWSWebService automatically (without automatically (without additional configuration) supports following additional configuration) supports following security scenarios: security scenarios: If the symmetric encryption is required or if the If the symmetric encryption is required or if the

client optionally encrypted the request using client optionally encrypted the request using shared symmetric key, than the response will be shared symmetric key, than the response will be symmetrically encrypted as well. symmetrically encrypted as well.

If the client signed the request using his private If the client signed the request using his private key, than the response will be asymmetrically key, than the response will be asymmetrically encrypted using appropriate client’s public key encrypted using appropriate client’s public key found in the signature. found in the signature.

If the X509 signing is required or if the client If the X509 signing is required or if the client optionally signed the request, than the response optionally signed the request, than the response will be signed using server’s private key.will be signed using server’s private key.

52


53

Securing Web ServicesSecuring Web Services Advantages of useAdvantages of use PortSight Secure Access PortSight Secure Access

API libraries to secure your own Web ServicesAPI libraries to secure your own Web Services:: SStores all user information, passwords and settings tores all user information, passwords and settings

in one databasein one database RRestrictestrictss access to your Web Service to access to your Web Service to

authenticated and authorized users with high authenticated and authorized users with high granularity of access rightsgranularity of access rights

LLogogss access to your Web Service and use the access to your Web Service and use the auditing log for billing Web Service usageauditing log for billing Web Service usage

Secure Access provides you with support for Secure Access provides you with support for symmetric encryption or X.509 certificates to symmetric encryption or X.509 certificates to encrypt the communicationencrypt the communication between the client and between the client and your web serviceyour web service

54


55

Thank you for your Thank you for your time!time!