The Common Services Framework Project

The Common Services The Common Services Framework ProjectFramework Project

Adding Security and Values to Adding Security and Values to Heterogeneous Web Services Heterogeneous Web Services

EnvironmentEnvironment

Frederick ChongFrederick Chong

Software Design EngineerSoftware Design Engineer

MicrosoftMicrosoft

Kevin W. WallKevin W. Wall

Staff Software EngineerStaff Software Engineer

Qwest ITQwest IT

CSF Project BackgroundCSF Project Background

Joint work between .NET Enterprise Joint work between .NET Enterprise Architecture Team, MCS and Qwest.Architecture Team, MCS and Qwest.

Multiple phases of the project. This Multiple phases of the project. This presentation is about phase 1.presentation is about phase 1.

Business DriversBusiness Drivers Expose and resell existing internal Expose and resell existing internal

Telco applicationsTelco applications Reuse same infrastructure for Reuse same infrastructure for

managing external applications managing external applications hosted by third partieshosted by third parties

Leverage management of web Leverage management of web services through centralized interfaceservices through centralized interface

Provide common security solution to Provide common security solution to web servicesweb services

ChallengesChallenges

Exposing information and Exposing information and functionality in a modular, scalable, functionality in a modular, scalable, secure, and internet-friendly way secure, and internet-friendly way have significant challenges:have significant challenges:• Time-to-marketTime-to-market• Scaling to the webScaling to the web• Lack of end-to-end development toolsLack of end-to-end development tools• Inability to interact between applications Inability to interact between applications

developed in heterogeneous platforms developed in heterogeneous platforms and environmentsand environments

XML Web Services to the RescueXML Web Services to the Rescue Web Services provide loosely coupled Web Services provide loosely coupled

applications and components designed applications and components designed for today’s heterogeneous computing for today’s heterogeneous computing landscapelandscape• Improves programmer productivityImproves programmer productivity• Ease of deploymentEase of deployment• Facilitates sharing and reuse of componentsFacilitates sharing and reuse of components• Communicating using Internet protocols Communicating using Internet protocols

and standards, such as SOAP and XML.and standards, such as SOAP and XML. Web Services == ISDN ?Web Services == ISDN ?

I See Dollars Now

Selling Web ServicesSelling Web ServicesWeb Services Owners/Providers

Web Services Consumers

Web Applications Users

Employing Web ServicesEmploying Web Services

Applications that employ web Applications that employ web services in their architecture have to services in their architecture have to consider 3 phases of the web service consider 3 phases of the web service life cycle:life cycle:• Web service developmentWeb service development• Web service deploymentWeb service deployment• Web service consumptionWeb service consumption

All phases involves several All phases involves several management challengesmanagement challenges

Development ChallengesDevelopment Challenges

Web Service developers are concerned with:Web Service developers are concerned with: Securing web servicesSecuring web services

• How to secure service component so that only How to secure service component so that only authenticated & authorized users are able to authenticated & authorized users are able to consume them.consume them.

Managing versionsManaging versions• Manage versions of services components so Manage versions of services components so

that consumers are least impactedthat consumers are least impacted Logging usage and health of servicesLogging usage and health of services

• Monitoring the health of a web service, and Monitoring the health of a web service, and reporting on usage (volume, components reporting on usage (volume, components accessed, …)accessed, …)

Deployment ChallengesDeployment Challenges

Web Service administrators are concerned with:Web Service administrators are concerned with: SecuritySecurity AvailabilityAvailability ReliabilityReliability RecoveryRecovery Access Access User ManagementUser Management Consumption AnalysisConsumption Analysis Production EnvironmentProduction Environment

Consumer ChallengesConsumer ChallengesDevelopers writing Developers writing client applications that consumeclient applications that consume web services must address issues such as those faced web services must address issues such as those faced by their counterparts developing the Web services. by their counterparts developing the Web services.

Issues that must be analyzed may include:Issues that must be analyzed may include:• How many transactions/sec will the Web service be able to How many transactions/sec will the Web service be able to

support?support?• Are the Web services secure?Are the Web services secure?• Is the information sent encrypted? If so, how do I encrypt the Is the information sent encrypted? If so, how do I encrypt the

information?information?• How reliable is the Web service? How reliable is the Web service? • Is there a way of knowing my consumption pattern?Is there a way of knowing my consumption pattern?

Web Services in QwestWeb Services in Qwest Large number of custom WS have been Large number of custom WS have been

developed and deployeddeveloped and deployed WS support increasingly sophisticated WS support increasingly sophisticated

business processes. business processes. Development and management of WS is Development and management of WS is

continuously evolving in their continuously evolving in their complexitiescomplexities

Multiple technologies used: .NET, GLUE, Multiple technologies used: .NET, GLUE, WLSWLS

Web Services Common Web Services Common RequirementsRequirements

All web services developed have a common All web services developed have a common set of needs: set of needs: • Security:Security:

Authentication, Authorization, Authentication, Authorization, Confidentiality, Data IntegrityConfidentiality, Data Integrity

• Global availabilityGlobal availability• ReliabilityReliability• Version managementVersion management• Metering, Monitoring and LoggingMetering, Monitoring and Logging• Interoperability of applicationsInteroperability of applications

Why CSF/WS Management?Why CSF/WS Management? In summary:In summary:

• Need a set of capabilities to support increasingly Need a set of capabilities to support increasingly sophisticated business processes enabled through sophisticated business processes enabled through web servicesweb services

• Address global availability, reliability, security, Address global availability, reliability, security, version management, metering, monitoring, version management, metering, monitoring, deployment & consumption challengesdeployment & consumption challenges

• Ensure interoperability of applicationsEnsure interoperability of applications• Lower development and deployment time and costLower development and deployment time and cost• Some of the needs can be met by current Web Some of the needs can be met by current Web

technologies, but others clearly need new toolstechnologies, but others clearly need new tools

Logical View of the Common Services Logical View of the Common Services FrameworkFramework Web Services

Owners/ProvidersWeb Services Consumers

Web Applications Users

Common Services

Framework

Common Services

Framework

Basic Flows in the Common Basic Flows in the Common Services FrameworkServices Framework

Company A(Web Service Provider)

1. Register Organization with CSF

Company B(Web Service Consumer)

CSF Administration

4. Register Organization with CSF

Common Service Framework

2. Register Web Service3. Define access policies5. Subscribe to Company

A’s Web service

CSF RuntimeCSF Client Toolkit

Secure Log Route6. Consume web service

7. Web service response

CSF ComponentsCSF Components CSF Components include:CSF Components include:

• CSF AdministrationCSF Administration Registration of web services Registration of web services Creation and administration of security policies & Creation and administration of security policies &

privilegesprivileges Multiple Routing scenarios and versioningMultiple Routing scenarios and versioning Manage subscription to web service consumptionManage subscription to web service consumption

• CSF Run Time CSF Run Time Web services securityWeb services security Unified logging and monitoringUnified logging and monitoring Static Routing and Dynamic RoutingStatic Routing and Dynamic Routing

• CSF Client Tool kitCSF Client Tool kit Standard libraries for WS clientStandard libraries for WS client Configuration drivenConfiguration driven Enables client to act as a transparent forward Enables client to act as a transparent forward

proxyproxy

Challenges Addressed by CSF Challenges Addressed by CSF Phase 1Phase 1

Web services securityWeb services security Policy-driven routing of web service Policy-driven routing of web service

requests and responsesrequests and responses Web service traffic loggingWeb service traffic logging Builds foundation for adding more Builds foundation for adding more

value added services (Metering, value added services (Metering, Billing etc.)Billing etc.)

CSF Security RequirementsCSF Security Requirements

Unilateral or mutual authenticationUnilateral or mutual authentication Access control at granularity of web Access control at granularity of web

service methodservice method Session-level confidentialitySession-level confidentiality Session-level integritySession-level integrity

• Including replay preventionIncluding replay prevention

CSF Security WishlistCSF Security Wishlist

End-to-end confidentiality and End-to-end confidentiality and integrityintegrity

Non-repudiation of origin, of receipt, Non-repudiation of origin, of receipt, and deliveryand delivery

Content inspection / scrubbingContent inspection / scrubbing• Input validationInput validation• CanonicalizationCanonicalization• Parameter manipulationParameter manipulation

Web Services SecurityWeb Services Security AuthenticationAuthentication

• WS-SecurityWS-Security Password-basedPassword-based X.509 public key certificatesX.509 public key certificates End-to-end authenticationEnd-to-end authentication

• Basic authentication over HTTPSBasic authentication over HTTPS AuthorizationAuthorization

• Role-based authorization and business Role-based authorization and business rulesrules

Web Services SecurityWeb Services Security

Authentication and Authorization Authentication and Authorization Implementations:Implementations:• Qwest re-used their existing corporate Qwest re-used their existing corporate

LDAP Directory and RSA ClearTrust LDAP Directory and RSA ClearTrust productsproducts

• Could be easily replaced by Microsoft Could be easily replaced by Microsoft Active Directory and Windows Role-Active Directory and Windows Role-based Authorization Manager based Authorization Manager FrameworkFramework

Web Services SecurityWeb Services Security

ConfidentialityConfidentiality• WS-SecurityWS-Security

Symmetric and Asymmetric Key Symmetric and Asymmetric Key EncryptionEncryption

End-to-end encryptionEnd-to-end encryption

• HTTPSHTTPS For clientsFor clients that don’t speak WS- that don’t speak WS-

SecuritySecurity

Policy-based RoutingPolicy-based Routing Goal is to enable service differentiationGoal is to enable service differentiation Bundle different physical deployments of Bundle different physical deployments of

Web service into a single serviceWeb service into a single service Use policy-based routing to enforce Use policy-based routing to enforce

service differentiationservice differentiation Routing policy could be based on any Routing policy could be based on any

defined attributes:defined attributes:• Class of service. e.g. Silver, Gold, Platinum Class of service. e.g. Silver, Gold, Platinum

subscriptionsubscription• User privileges – VP vs. Manager vs. User privileges – VP vs. Manager vs.

Contractor rolesContractor roles• Time of day etc.Time of day etc.

Web Service Logging and Web Service Logging and MonitoringMonitoring

Log web service requests, responses, Log web service requests, responses, security events, etc.security events, etc.

Logging level can be changed by Logging level can be changed by configurationconfiguration

Uses Windows Management and Uses Windows Management and Instrumentation (WMI)Instrumentation (WMI)

Use Microsoft Operations Manager (MOM) Use Microsoft Operations Manager (MOM) for Collection and Analysisfor Collection and Analysis

Foundation for building other value added Foundation for building other value added services, e.g. Metering and Billingservices, e.g. Metering and Billing

CSF Runtime ArchitectureCSF Runtime Architecture

CSF Runtime Engine

RSA ClearTrust

Authentication

Logging using WMI

Custom Business Rules Engine

for Routing Policy

Runtime features are pluggable and configurableRuntime features are pluggable and configurable Input and Output pipeline message processingInput and Output pipeline message processing

RSA ClearTrustAuthentication

RSA ClearTrustfor

Authorization

Logging using WMI

SOAP Request

Soap Response

Message Router

Request Message Context

Request Message Context

Response Message Context

Response Message Context

b

CSF Runtime Deployment ScenariosCSF Runtime Deployment Scenarios

As a Web service intermediaryAs a Web service intermediary

.NETWeb Service

Security LogPolicy-based

Routing

CSF Runtime

Web Service Intermediary

J2EEWeb Service

J2EEWeb Service

Client

CSF Client Toolkit

.NETWeb Service

Client

CSF Runtime Deployment CSF Runtime Deployment ScenariosScenarios

As a chain of web service intermediariesAs a chain of web service intermediaries Distribute processing across Distribute processing across

intermediariesintermediaries AKA “The Message Bus” to some peopleAKA “The Message Bus” to some people

CSF Runtime

•Authenticate•Route

Web Service Intermediary

CSF Runtime

•Authorize•Log•Route

Web Service Intermediary

J2EEWeb Service

Client

.NETWeb Service

J2EEWeb Service

CSF Client Toolkit

.NETWeb Service

Client

CSF Runtime Deployment CSF Runtime Deployment ScenariosScenarios

““In-Proc” ModelIn-Proc” Model End-to-end processingEnd-to-end processing

.NETWeb Service.NET

Web Service Client

CSF Runtime

•Authenticate•Encrypt/Decrypt

CSF Runtime

•Authenticate•Encrypt/Decrypt•Authorize•Log

CSF Runtime Deployment CSF Runtime Deployment Scenarios SummaryScenarios Summary

Flexibly combine all modelsFlexibly combine all models

.CSF Runtime

NETWeb Service

J2EEWeb Service

J2EEWeb Service

Client

CSF Runtime

.NETWeb Service Client

Web Service

Intermediary

Web Service

Intermediary

CSF Runtime

CSF Runtime

ConclusionsConclusions

Multiple challenges in Web services Multiple challenges in Web services managementmanagement

Common Service Framework:Common Service Framework:• Administrative FrameworkAdministrative Framework

Registering web services and consumersRegistering web services and consumers Managing policies for security, routing etc.Managing policies for security, routing etc.

• Runtime FrameworkRuntime Framework Enforcing web service management policiesEnforcing web service management policies Easy to add more management enforcement Easy to add more management enforcement

capabilitiescapabilities Flexible to support many deployment modelsFlexible to support many deployment models