SOA Security. CORISECIO GmbH - Uhlandstr Darmstadt - Germany - - Copyright All Rights Reserved

Transcription

1 SOA Security CORISECIO GmbH - Uhlandstr Darmstadt - Germany Copyright All Rights Reserved

2 SOA Security

3

4 1. Adapter requirements securityruntime (secrt) & managementruntime securityruntime (secrt) Functional overview Data types crs:multilinestring crs:xpath crs:certificate crs:privatekey crs:role Functions SAMLAddUserAuth (SAML 1.X) SAMLAddUserAuth (SAML 2.0) SAMLCheckUserAuth (SAML 1.1) SAMLCheckUserAuth (SAML 2.0) decryptxpath encryptxpath encryptxpathforcertificate RemoveSignatureHeader SignSOAPEnvelope SignSOAPEnvelopeWithXPath VerifySOAPEnvelope Add VerifySOAPEnvelopeWithXKMS WSSecurityAddTimestamp WSSecurityAddSAMLTen (SAML 1.1) WSSecurityCheckSAMLTen (SAML 1.1) WSSecurityCheckTimestamp WSSecurityDecrypt WSSecurityEncryptXPathWithXKMS WSSecurityEncryptForCertificate WSSecurityRemoveHeader WSSecuritySignXPath WSSecurityVerify Index... 11

5 Chapter 1. Adapter requirements 1. securityruntime (secrt) & managementruntime 1.1. securityruntime (secrt) The SOA Security adapter requires secrt-ssf 1.1 1

6 Chapter 2. Functional overview 1. Data types 1.1. crs:multilinestring A crs:multilinestring represents a multi-line string crs:xpath A crs:xpath represents an XPath expression. Supported is XPath Version 1.0 (based on Xalan 2.7.0). Please te, that XPath is namespace-aware and use //*[local-name()='cityname' and namespace-uri()=' expression to operate on des wtih namespace specified crs:certificate A crs:certificate represents an Base-64 encoded X.509 (.CER) certificate crs:privatekey A crs:privatekey represents an private key container (supported are.p12 and.jks) with RSA (max. key length 1024) key crs:role A crs:role represents a created role, which may be assigned to ne, one or many users. 2. Functions 2.1. SAMLAddUserAuth (SAML 1.X) The function SAMLAddUserAuth (SAML 1.X) adds a SAML 1.1 Assertion to the SOAP message header. The Assertion may contain a signature. The function SAMLAddUserAuth (SAML 1.X) contains the following configuration parameter: User name The subject's user name. If this parameter is t given, the content of the execution variable username is used. Authentication method The authentication method used to authenticate the subject. If this parameter is t given, the content of the execution variable saml.authncontextclassref is used. Issuer The issuer's name. Private key crs:privatekey The private key for signing the assertion. Certificate crs:certificate The certificate for signing the assertion. For the function contains the following signature: Result Typ message The Assertion was successfully added to the SOAP Header. An Error occurred during the process SAMLAddUserAuth (SAML 2.0) The function SAMLAddUserAuth (SAML 2.0) adds a SAML 2.0 Assertion to the SOAP Header. The Assertion may contain a signature. The function SAMLAddUserAuth (SAML 2.0) contains the following configuration parameter: User name The subject's username. If this parameter is t given, the content of execution variable username is used. 2

7 Authentication method The authentication method used to authenticate the subject. If this parameter is t given, the content of the execution variable saml.authncontextclassref is used. Issuer The issuer's name. Private key crs:privatekey The private key for signing the assertion. Certificate crs:certificate The certificate for signing the assertion. The function contains the following signature Result Name Result message The Assertion was successfully added to the SOAP Header. An Error occurred during the process SAMLCheckUserAuth (SAML 1.1) The function SAMLCheckUserAuth (SAML 1.1)verifies a SAML 1.1 Assertion in the Header of a SOAP Message. An Assertion is valid, if the specified validity period has t expired and if the subject is a kwn entity. If the assertion contains a signature, it must be signed by a kwn entity. The function sets the Subject in the execution variable username and the authentication method of the SAML Assertion in the execution variable saml.authncontextclassref. The fuction SAMLCheckUserAuth (SAML 1.1) contains configuration parameter. The function contains for the following signature: Result verified The assertion was successfully verified. invalid The specified validity period expired or the subject is unkwn. Assertion The SOAP Header does t contain a SAML Assertion. An occurred during the process SAMLCheckUserAuth (SAML 2.0) The function SAMLCheckUserAuth (SAML 2.0) verifies a SAML 2.0 Assertion in the Header of a SOAP Message. An Assertion is valid, if the specified validity period has t expired and if the subject is a kwn entity. If the assertion contains a signature, it must be signed by a kwn entity. The function sets the Subject in the execution variable username and the authentication method of the SAML Assertion in the execution variable saml.authncontextclassref. The function SAMLCheckUserAuth (SAML 2.0) contains configuration parameter. The function contains for the following signature: Result verified The assertion was successfully verified. invalid The specified validity period expired or the subject is unkwn. Assertion The SOAP Header does t contain a SAML Assertion. An occurred during the process. 3

8 2.5. decryptxpath The function decryptxpath decrypts an encrypted XML-Element on the specified X-Path location. It uses the private key of the securityruntime. The function decryptxpath contains the following parameter: XPath crs:xpath The specified X-Path location. The functions contains for the following signature: decrypted The decryption was successful. An occurred during the process encryptxpath The function encryptxpath encrypts a on a specified X-Path location with the public key defined in the execution variable username. The value of the execution variable may be set using e.g. SetExecVariable The function encryptxpath contains the following configuration parameter: xpath crs:xpath The specified X-Path location. The function contains for the following signature: encrypted The encrytion was successful. An occurred during the process encryptxpathforcertificate The function encryptxpathforcertificate encrypts a on a specified X-Path location using the specified certificate (which must be a Base-64 encoded X.509 (.CER)). The function encryptxpathforcertificate contains the following configuration parameter: xpath crs:xpath The specified X-Path location. The certificate which will be used for the encryption. Encryption crs:certificate certificate The function contains for the following signature: encrypted The encryption was successful. An occurred during the process RemoveSignatureHeader The function RemoveSignatureHeader removes a signature header that was created with SignSOAPEnvelope or SignSOAPEnvelopeWithXPath. The function RemoveSignatureHeader contains the following configuration parameter. SOAP 1.2 role or SOAP 1.1 actor 4

9 The function contains for the following signature: Result The header was removed. An occurred during the process SignSOAPEnvelope The function SignSOAPEnvelope signs the body of a SOAP Message with the key of the server entity. The XML-Signature is created in the header of the SOAP Message. The function SignSOAPEnvelope contains the following configuration parameter. SOAP 1.2 role or SOAP 1.1 actor Note Please te that the function igres SOAP Attachments. The function contains for the following signature: Result signed The message was signed. An occurred during the process SignSOAPEnvelopeWithXPath The function SignSOAPEnvelopeWithXPath signs of a SOAP Message with the key of the server entity. The XML-Signature is created in the header of the SOAP Message. The function SignSOAPEnvelopeWithXPath contains the following configuration parameters. SOAP 1.2 role or SOAP 1.1 actor XPath crs:xpath this parameter references the elements which should be signed; to work properly the given XPath should reference one ore more elements of the SOAP Message body BaseRefURI URI for referencing the signed parts. This is only used if the elements do t contain an id attribute Note Please te that the function igres SOAP Attachments. The functions contains for the following signature: Result signed The message was signed. An occurred during the process VerifySOAPEnvelope The function VerifySOAPEnvelope verifies the signature of a SOAP Message. The signature must be in XML Signature format in the header of the SOAP Message. For the verification of the Signature a certificate is retrieved from the certificate store which is named after the value of the execution variable username. If the username variable ist t set, the KeyInfo element of the signature is used to verify the message. The found key information must belong to a kwn entity. The function VerifySOAPEnvelope contains the following parrameter. 5

10 SOAP 1.2 role or SOAP 1.1 actor The function contains for the following signature: Result valid The verification of the signature was successful. The Message was t modified and it was signed with a private key which associated with an available certificate in the store. invalid The verification of the signature failed. Possible causes are a missing signature element, a missing certificate or the message was modified. An occurred during the process Add The function Add creates a (SOAP 1.1 or 1.2) from given string. The content of the SOAP Message must be configured without Body-Element. The function Add contains the following configuration parameter: Message Page tent XML string (SOAP 1.1 or SOAP 1.2) XML string, payload of con-crs:multilinestring The function contains for the following signature: Result message created from provided XML string VerifySOAPEnvelopeWithXKMS The function VerifySOAPEnvelopeWithXKMS verifies a for a given certificate using the specified XKMS service. The function VerifySOAPEnvelopeWithXKMS contains the following configuration parameters: SOAP 1.2 role or SOAP 1.1 actor xkms URL of XKMS service. The function contains for the following signature: Result valid Signature was found valid. invalid Signature was found invalid. invalidcertificate XKMS service could t validate the certificate provided in. An occurred during the process WSSecurityAddTimestamp The function WSSecurityAddTimestamp adds an timestamp element to the WS Security header. The timestamp is t signed. 6

11 The function WSSecurityAddTimestamp contains the following configuration parameter: Time to live in seconds Defines the actor for the security header. xsd:int The time the ten is valid. The function contains for the following signature: Result The timestamp ten was created successfully. An occurred during the process WSSecurityAddSAMLTen (SAML 1.1) The function WSSecurityAddSAMLTen (SAML 1.1) adds a signed SAML 1.1 Assertion to the WS Security header. The subject confirmation method is holder-of-key. The assertion must be signed. The function WSSecurityAddSAMLTen (SAML 1.1) contains the following configuration parameter: Defines the actor for the security header. User name The subject's user name. If this parameter is t given, the content of the execution variable username is used. Authentication method The authentication method used to authenticate the subject. If this parameter is t given, the content of the execution variable saml.authncontextclassref is used. Issuer The issuer's name. crs:privatekey The private key for signing the assertion. The corresponding certificate is added to the message. Key For the function contains the following signature: Result Typ The Assertion was successfully added to the SOAP Header. An Error occurred during the process WSSecurityCheckSAMLTen (SAML 1.1) The function WSSecurityCheckSAMLTen (SAML 1.1)verifies a SAML 1.1 Assertion in the WS Security Header of a SOAP Message. The function sets the Subject in the execution variable username and the authentication method of the SAML Assertion in the execution variable saml.authncontextclassref. The function WSSecurityCheckSAMLTen (SAML 1.1) contains the following configuration parameter: Defines the recipient actor for the security header. The function contains for the following signature: Result verified The assertion was verified successfully. invalid The assertion can t be verified. 7

12 Result Assertion No assertion was found for the given actor. An occurred during the process WSSecurityCheckTimestamp The function WSSecurityCheckTimestamp checks if the timestamp of the WS Security header is valid. The function WSSecurityCheckTimestamp contains the following configuration parameter: Defines the recipient actor for the security header. The function contains for the following signature: Result valid The timestamp is valid. invalid The timestamp is invalid. An occurred during the process. For example a timestamp was missing for the given actor WSSecurityDecrypt The function WSSecurityDecrypt decrypts XML-Element(s) on the location(s), which are referenced via a ReferenceList-Element (namespace " The function WSSecurityDecrypt contains the following parameter: Defines the actor for the security header. The function contains for the following signature: Result decrypted The message was decrypted successfully. An occurred during the process WSSecurityEncryptXPathWithXKMS The function WSSecurityEncryptXPathWithXKMS encrypts a for a given certificate on a specified X-Path location. The certificate is retrieved by the configured XKMS Service. Note If the X-Path location references multiple element, only the first found element is encrypted. The function WSSecurityEncryptXPathForHostname contains the following configuration parameter: Defines the actor for the security header. User The User whose certificate should be used to encrypt the message XKMS URL URL of XKMS service. XPath crs:xpath The specified XPath location (default value references the SOAP body). request Validate/Locate to trigger the validation of certificate. Request type The function contains for the following signature: 8

13 Result encrypted The encryption was successful. Certificate Requested certificate was t provided by XKMS service. xkmserror An occurred while contacting the XKMS service. An occurred during the process WSSecurityEncryptForCertificate The function WSSecurityEncryptForCertificate encrypts a on a specified X-Path location with the public key defined in the given certificate. Note If the X-Path location references multiple element, only the first found element is encrypted. The function WSSecurityEncryptForCertificate contains the following configuration parameter: Defines the actor for the security header. Encryption certificate crs:certificate The certificate with the public key for the receiver. crs:xpath The specified X-Path location (default value references the SOAP body). xpath The function contains for the following signature: Result encrypted The encryption was successful. An occurred during the process WSSecurityRemoveHeader The function WSSecurityRemoveHeader (SAML 1.1) removes the WS Security header with the configured actor from the message. The function WSSecurityRemoveHeader (SAML 1.1) contains the following configuration parameter: Defines the actor for the security header. For the function contains the following signature: Result Typ message The Header was successfully removed. An Error occurred during the process WSSecuritySignXPath The function WSSecuritySignXPath signs asoap Message with the key of the server entity. The XML-Signature is created in the header of the SOAP Message. Note If the X-Path location references multiple element, only the first found element is signed. The function WSSecuritySignXPath contains the following configuration parameter: Defines the actor for the security header. 9

14 xpath crs:xpath The specified X-Path location (default value references the SOAP body). The function contains for the following signature: Result signed The signature was successfully applied. An occurred during the process WSSecurityVerify The function WSSecurityVerify verifies the signature of a SOAP Message. The signature must be WS Security compatible in the header of the SOAP Message. For the verification of the Signature a certificate is retrieved from the certificate store which is named after the value of the execution variable username. If the username variable ist t set, the KeyInfo element of the signature is used to verify the message. The found key information must belong to a kwn entity. The function WSSecurityVerify contains the following configuration parameter: Defines the recipient actor for the security header. The function contains for the following signature: Result valid The verification of the signature was successful. The Message was t modified and it was signed with a private key which associated with an available certificate in the store. invalid The verification of the signature failed. Possible causes are a missing signature element, a missing certificate or the message was modified. An occurred during the process. 10

15 Index saml.authncontextclassref, 3 A Add, 6 Assertion, 2, 2, 3, 3, 7, 7 C crs:certificate, 2 crs:multilinestring, 2 crs:privatekey, 2 crs:role, 2 crs:xpath, 2 D decryptxpath, 4 E encryptxpath, 4 encryptxpathforcertificate, 4 execution variable saml.authncontextclassref, 3, 7 username, 3, 3, 5, 7, 10 R RemoveSignatureHeader, 4 S SAML, 2, 2, 3, 3, 7, 7 SAMLAddUserAuth (SAML 1.X), 2 SAMLAddUserAuth (SAML 2.0), 2 SAMLCheckUserAuth (SAML 1.1), 3 SAMLCheckUserAuth (SAML 2.0), 3 signature, 2, 2 Signature, 5, 10 SignSOAPEnvelope, 5 SignSOAPEnvelopeWithXPath, 5 V VerifySOAPEnvelope, 5 VerifySOAPEnvelopeWithXKMS, 6 W WSSecurityAddSAMLTen (SAML 1.1), 7 WSSecurityAddTimestamp, 6 WSSecurityCheckSAMLTen (SAML 1.1), 7 WSSecurityCheckTimestamp, 8 WSSecurityDecrypt, 8 WSSecurityEncryptForCertificate, 9 WSSecurityEncryptXPathWithXKMS, 8 WSSecurityRemoveHeader, 9 WSSecuritySignXPath, 9 WSSecurityVerify, 10 X XML-Signature, 5, 5, 5, 9