This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
http://www.tibco.com
Global Headquarters3303 Hillview AvenuePalo Alto, CA 94304Tel: +1 650-846-1000Toll Free: 1 800-420-8450Fax: +1 650-846-1005
1 Overview of Web Services Security.................................................................41.1 Identification/Authentication.................................................................................41.2 Integrity/Digital Signatures...................................................................................41.3 Confidentiality/Cryptography................................................................................4
2 Getting Started...............................................................................................42.1 X.509 Certificates from TIBCO Enterprise Message Service...............................42.2 Java Keystore Tool - Recommended...................................................................42.3 TIBCO Runtime Agent.........................................................................................42.4 TIBCO Administrator............................................................................................42.5 Optional: Tools to view the WSS SOAP Payload.................................................4
3 Building a Simple Web Service in BusinessWorks 5.3...............................43.1 Setup Folders......................................................................................................53.2 Building a Schema...............................................................................................53.3 Building a Process for a Service..........................................................................63.4 Adding Communications......................................................................................83.5 Using the Wizard.................................................................................................93.6 Building the Companion Web Services Client....................................................123.7 Testing the Web Service....................................................................................15
5 Using the Policy Palette – UserName Token.............................................185.1 Utilizing the UserName Token to create an Identification Policy........................185.1.1 Configure the Inbound Security Policy...............................................................185.1.2 Configure the Outbound Security Policy............................................................185.2 Policy Association with Services........................................................................195.2.1 Configure the Inbound Security Policy Association............................................195.2.2 Configure the Outbound Security Policy Association.........................................19
6 First Test – UserName Identification..........................................................206.1 Test....................................................................................................................216.1.1 Request Contents – UserName Token..............................................................226.1.2 Troubleshooting – Bad ID or Password.............................................................236.1.3 Troubleshooting – Administrator is unavailable.................................................246.1.4 Troubleshooting – Mismatched Configurations..................................................24
7 Change Project from UserName to X.509 for Identification.....................25
8 Second Test – X.509 Identification.............................................................268.1 Request Contents – BinarySecurityToken.........................................................268.2 Troubleshooting – Bad X.509 Private Key Password........................................278.3 Troubleshooting – Missing Trusted CA Cert in Trusted Certificates Folder.......278.4 Troubleshooting – Mismatched Token Types....................................................28
9 Adding Integrity and Confidentiality..........................................................28
TIBCO BusinessWorks™: Understanding Web Services Security 2
Document
10 Third Test – Identification, Integrity, and Confidentiality.........................2810.1 Troubleshooting..............................................................................................28
TIBCO BusinessWorks™: Understanding Web Services Security 3
Document
1 Overview of Web Services SecurityDiscuss the Profiles – TIBCO currently supports X.509 and Username profiles and their respective tokens.
1.1 Identification/AuthenticationDiscuss the “Nonce”, timeouts
1.2 Integrity/Digital SignaturesDiscuss Direct Reference vs. Subject Key Identities
2.1 X.509 Certificates from TIBCO Enterprise Message ServiceWe will be using the Certificates in the TIBCO Enterprise Message Service 4.X+ distribution as found in the
<tibco>/ems/bin/certs directory.
2.2 Java Keystore Tool - RecommendedIt will be useful to be able to create Java Keystores as they have a flexibility that will facilitate certain use-case
scenarios.
2.3 TIBCO Runtime AgentWe will need access to the files associated with the TRA of Designer so that we can simulate a deployed project in
Designer for purposes of Authentication.
2.4 TIBCO AdministratorIn this document, we are assuming that there is an Administrative ID – “admin” with a password of “admin”, and that
the administrator is running concurrently with your Designer.
2.5 Optional: Tools to view the WSS SOAP PayloadWeb Services Security creates a processing overhead as you would expect from any security processing, but it also
inflates the SOAP Payload. I will use the Axis distribution of TCPMon as a proxy to capture the SOAP Message
exchanges to illustrate the mechanics and instantiation of Authentication, Integrity, and Confidentiality aspects of Web
Services Security.
TCPMon has been “externalized” from Axis, and is available here:
http://ws.apache.org/commons/tcpmon/download.cgi
TIBCO BusinessWorks™: Understanding Web Services Security 4
3 Building a Simple Web Service in BusinessWorks 5.3Create a new BusinessWorks project – in this example, I have called the project “UnderstandingWSS”. The scenario
is very simple with a single field being sent as a string and a simple string as a reply. The Client will ask for the Time
and the Server will respond accordingly.
3.1 Setup FoldersDrag and Drop four Folders into the Project: Schema, Communications, Security, and Processes. Open up the
Security folder and drag and drop three folders: Identities, Security Policies, and Trusted Certificates.
These folders will provide the structure for our activities.
3.2 Building a SchemaUsing the XML Tools Palette, drag and drop a Schema Object into the Schema folder, and configure with two
string elements as shown in the diagram below.
TIBCO BusinessWorks™: Understanding Web Services Security 5
Document
3.3 Building a Process for a ServiceDrag and Drop a Process into the Process Folder, and simply connect the Start to the End Activities. Next,
associate the XSD you just created with the Start Activity’s Output Editor, picking an XML Element
Reference and selecting a resource – pick the Inquiry Element.
TIBCO BusinessWorks™: Understanding Web Services Security 6
Document
Continue on to the End Activity, again using an XML Element Reference in the Input Editor, but when you
choose a Resource, pick the Answer Element as shown below. These elements will equate into Messages for the
WSDL that the Wizard will create for you.
To provide some processing, and to have a valid process definition (elements were set as “required”), put a string in the
output element. As we will be asking for the time, I have chosen to respond by concatenating some words with the
XPath expression for the current-dateTime.
TIBCO BusinessWorks™: Understanding Web Services Security 7
Document
3.4 Adding CommunicationsHighlight the Communications Folder and drag and drop an HTTP Connection object, configuring it with a free
port – I have port 7177 free on my machine.
TIBCO BusinessWorks™: Understanding Web Services Security 8
Document
3.5 Using the WizardNow we have a process with inputs and outputs that are compatible with a WSDL structure and a communications
configuration for the bindings – so we are ready to use the Wizard! You can use the Tools Menu to “Generate Web
Service”, or highlight the project and right-click and navigate the menu from Tools or Multi User ->
Generate Web Service -> From Process.
The following pop-up appears with much of the defaults given. You will need to pick the Process with the Process
Chooser (if you have multiple processes), the Transport, and the Location for the resulting WSDL. As we have
built this project, the following screen should put everything in its proper place:
TIBCO BusinessWorks™: Understanding Web Services Security 9
Document
Notice that we now have three new objects in the Processes Folder:
infTellingTime WSDL
wsTellingTime Process
infTellingTime Service
TIBCO BusinessWorks™: Understanding Web Services Security 10
Document
Open the intfTellingTime-service WSDL Source Tab to view the new WSDL based on your Service Definition,
and highlight the source (Control-A) and copy to a buffer (Control-C). Next, open the Schema Folder, drag and drop
a new WSDL object, go to the Menu Bar and open up with Display XML in Source View; now highlight the stub
and replace it with the source you have in your buffer from the previous copy (using Control-V, the results are shown
below). Save the new WSDL. This will be the Concrete WSDL for the Web Service Client.
TIBCO BusinessWorks™: Understanding Web Services Security 11
Document
Here is the resulting Concrete WSDL source:
3.6 Building the Companion Web Services Client
TIBCO BusinessWorks™: Understanding Web Services Security 12
Document
Open up the Processes Folder and drag and drop a new Process Definition (we are calling it WhatTimeIsIt).
Open up the process and put a SOAP Request Reply Activity in the Process and connect the Start Activity
to the SOAP Request Reply Activity and hence on to the End Activity as shown below:
Pick a Namespace, Service, Port, and Operation – this time you want to pick from the newly created
Concrete Client WSDL.
TIBCO BusinessWorks™: Understanding Web Services Security 13
Document
As the elements are “Required”, you will need to open the Input Tab and ask for the Time!
TIBCO BusinessWorks™: Understanding Web Services Security 14
Document
3.7 Testing the Web ServiceNow we are ready to Save the project and test the Services; Click the Tester Tab on the Left, and make sure that the
intfTellingTime Service Icon’s checkbox and the Client Process Definition checkbox are both checked,
then either Load Selected and initiate a Job by right-clicking the Client Process Definition -> Create a
Job, or use the Load & Start Current.
You can see the results in the End Activity of the Client as it gets the response from the Web Service. We are now
ready to focus on Web Services Security!
4 Assemble Security TokensWe will be using X.509 Certificates from the TIBCO Enterprise Message Service distribution, which can be found in the
<tibco>/bin/certs directory.
TIBCO BusinessWorks™: Understanding Web Services Security 15
Document
4.1 Identity Objects
Drag and Drop two Identity objects into the Identities Folder; these will be the two flavors for the WSS Client.
The first one will be the UserNameToken Identity which will be authenticated against the Administrator. I have
configured it in the screenshot below with the ID of “admin” and the password of “admin”:
The second Identity will be an X.509v3-based Token, so change the Type to Identity File and navigate to the
TIBCO Enterprise Message Service folder that contains certificates and import the client_identity.p12; the
private key password is “password”. Configure the File Type as PKCS12.
Screenshot is below:
TIBCO BusinessWorks™: Understanding Web Services Security 16
Document
4.2 Trusted Certificate FoldersNext, we will prepare for the Server Side of using X.509v3 certificates by importing the Client certificate and the root
Certificate Authority for the Client Certificate into the Trusted Certificates Folder. Highlight the Trusted Certificates
Folder in the project and navigate Tools -> Trusted Certificates -> Import into PEM Format and pick
the following TIBCO Enterprise Message Service Certificates:
client.cert.pem
client_root.cert.pem
When finished, your folder should look like this:
TIBCO BusinessWorks™: Understanding Web Services Security 17
Document
5 Using the Policy Palette – UserName TokenOpen up the Security Policies Folder and drag and drop two Security Policy objects and two Security Policy
Association objects into this folder. Name them in pairs: Inbound and Outbound. The Security Policy will be
configured to have a checkbox for Authentication only – later we will configure them for Integrity and Confidentiality.
5.1 Utilizing the UserName Token to create an Identification Policy
5.1.1 Configure the Inbound Security Policy Config Tab:
o Name: Inbound
o Policy Type: inbound
o Authentication: checked (do not check any other boxes!)
Authentication Tab:
o Highlight UserNameToken – leave Trusted Certificates Folder Blank
5.1.2 Configure the Outbound Security Policy Config Tab:
o Name: Outbound
o Policy Type: outbound
TIBCO BusinessWorks™: Understanding Web Services Security 18
Document
o Authentication: checked (do not check any other boxes!)
Authentication Tab:
o Security Token: Pull-down menu to UserNameToken
o Username Password Identity: pick - /Security/Identities/UserNameToken.id
o Password Type: Text
5.2 Policy Association with Services
5.2.1 Configure the Inbound Security Policy Association Configuration Tab:
o Name: Inbound
o Apply Policy to: (navigate to the service as shown below)
o Inbound Message Policy: (navigate to the policy as shown below)
5.2.2 Configure the Outbound Security Policy Association Configuration Tab:
o Name: OutboundTIBCO BusinessWorks™: Understanding Web Services Security 19
Document
o Apply Policy to: (navigate to the SOAP Request/Reply as shown below)
o Outbound Message Policy: (navigate to the policy as shown below)
There is no need to configure any other Tabs in either Association at this time.
6 First Test – UserName IdentificationAs we will be testing in the Test Mode of Designer without any deployment, we need to associate the Designer with a
particular TIBCO Administrative Domain.
Here are the preparatory steps:
Save your project.
Stop BusinessWorks Designer completely.
Navigate to <tibco>/tra/domain/<yourdomain> and locate the
“AuthorizationDomain.properties” file and copy it to <tibco>/tra/<version>
Make certain the your domain Administrator is running
Restart Designer and bring up this project
Here is what my AuthorizationDomain.properties file looks like:
TIBCO BusinessWorks™: Understanding Web Services Security 20
6.1.3 Troubleshooting – Administrator is unavailableStop the Administrator, retest and you won’t find any difference as Designer is doing some caching, so completely
stop and restart Designer and test again.
You will get the same error - SOAPPLUGIN–100023, but the Fault will be different – WS Security Error: 111000.
TIBCO BusinessWorks™: Understanding Web Services Security 24
Document
6.1.4 Troubleshooting – Mismatched ConfigurationsLet’s set it up so that the Client DOESN”T send any Authentication Data and the Server expects it. Change the
Outbound Policy by un-checking the Authentication box.
<ns0:Inquiry xmlns:ns0="http://xmlns.example.com/unique/default/namespace/1154630967053">What Time is it?</ns0:Inquiry>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
8.2 Troubleshooting – Bad X.509 Private Key PasswordChange the password from “password” to something else, and re-run the test – you will see that the Client fails to
communicate with the Server, and you will get the following error:
8.3 Troubleshooting – Missing Trusted CA Cert in Trusted Certificates FolderYou will get the same error as the inability to validate credentials with the Administrator when using UserName Tokens,
though using X509 Tokens does NOT involve the Administrator in any fashion; just as the Administrator was a trusted
authority for UserName Tokens, so is the Trusted Certificates Folder is the authority for X.509 Tokens.