SECURE YOUR INTEGRATIONS. Maarten Smeets

Transcription

1 SECURE YOUR INTEGRATIONS Maarten Smeets

2 About Maarten Integration consultant at AMIS since 2014 Several certifications SOA, BPM, MCS, Java, SQL, PL/SQL, Mule, AWS, etc Enthusiastic blogger

3 500+ Technical Experts Helping Peers Globally 3 Membership Tiers Oracle ACE Director Oracle ACE Oracle ACE Associate bit.ly/oracleaceprogram Connect: oracle-ace_ww@oracle.com Nominate yourself or someone you know: acenomination.oracle.com

4 SECURE YOUR INTEGRATIONS WHAT DO YOU HOPE TO ACHIEVE? SECURITY IN DIFFERENT LAYERS TLS TLS AND JAVA CERTIFICATES KEYSTORES CIPHER SUITES TLS IN THE ORACLE CLOUD APPLICATION SECURITY

5

6 INTRODUCTION GDPR GENERAL DATA PROTECTION REGULATION (GDPR) "...implement measures to mitigate those risks, such as encryption." (P51. (83)) "...appropriate safeguards, which may include encryption" (P121 (4.e)) "...including inter alia as appropriate: (a) the pseudonymization and encryption of personal data." (P160 (1a)) "...unintelligible to any person who is not authorized to access it, such as encryption" (P163 (3a))

7 WHAT DO YOU HOPE TO ACHIEVE? Confidentiality Integrity Authentication Identification Authorization Access to specific resources Entitlements

8 WHAT DO YOU HOPE TO ACHIEVE? CONFIDENTIALITY AND INTEGRITY: REPUDIATION OF EMISSION Do you trust the contents of the message Integrity and Confidentiality

9 WHAT DO YOU HOPE TO ACHIEVE? AUTHENTICATION AND IDENTIFICATION: REPUDIATION OF ORIGIN Do you trust the source of the message Authentication and Identification

10 SECURITY IN DIFFERENT LAYERS Application layer (HTTP, LDAP) Security only in the application layer might cause plaintext passwords or reusable tokens to be transmitted and potentially intercepted TLS/SSL layer Transport layer (TCP, UDP) Network layer (IP)

11 SECURITY IN DIFFERENT LAYERS TLS VS APPLICATION LAYER SECURITY Performance TLS is much faster than security on message contents Granularity TLS is usually on host level Application security can be much more specific Genericity TLS can be used on HTTP, SMTP, T3 Application layer security is specific for a platform / application

12 SECURITY IN DIFFERENT LAYERS WHICH PRODUCTS? Loadbalancers For example F5 product Oracle Traffic Director (also used in Oracle Cloud) On a webserver / application server Oracle HTTP Server WebLogic Server Using an API gateway product API Platform Cloud Service API Gateway

13 TRANSPORT LAYER SECURITY 1 2 Concepts TLS and Java

14 SECURITY IN DIFFERENT LAYERS WHAT CAN YOU ACHIEVE WITH TLS? Secure message exchange Confidentiality by using symmetric cryptography Integrity by using message authentication codes (MAC) Identification Authentication By using public key cryptography Authorization

15 BACKGROUND AND CONCEPTS TLS: VERSIONS Netscape IETF TLS version Released Most important vulnerabilities SSL 1 No Never released due to too many issues SSL DROWN SSL POODLE TLS BEAST TLS CBC, Sweet32 TLS Logjam, FREAK, Heartbleed (OpenSSL) TLS 1.3 TBD

16 BACKGROUND AND CONCEPTS TLS: JAVA TLS 1.2 is supported from Oracle JDK 6u121 JRockit R JCE on JRockit and Oracle JDK See Oracle support Doc ID JCE for the best cipher suites Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files JCE is no longer required after Version 6u191, 7u181, 8u171, 9

17 BACKGROUND AND CONCEPTS Handshake Certificates Keystores Cipher suites

18 BACKGROUND AND CONCEPTS TLS LAYER Client and server perform a handshake During the handshake certificates are exchanged Certificates are stored in keystores and can be checked Client and server agree on further details of the connection (cipher suite)

19 BACKGROUND AND CONCEPTS WHAT S IN A CERTIFICATE A public key Information on the issuer A serial number, unique per issuer A period during which the certificate is valid A hostname or hostname wildcard References to certificate revocation lists

20 BACKGROUND AND CONCEPTS CERTIFICATES AND TRUST

21 BACKGROUND AND CONCEPTS KEYSTORES

22 BACKGROUND AND CONCEPTS KEYSTORES: FILE BASED FORMATS Java Keystore / JKS File extension:.jks Keystore Explorer Public-Key Cryptography Standards / PKCS #12 File extension:.p12 or.pfx Portecle Java Cryptography Extension KeyStore / JCEKS For storing secret keys / credentials File extension:.jceks keytool

23 BACKGROUND AND CONCEPTS KEYSTORES: ORACLE PLATFORM SECURITY SERVICES (OPSS) KeyStoreService / KSS Credential Store Framework or CSF

24 BACKGROUND AND CONCEPTS CIPHER SUITES Key exchange Signature Bulk encryption algorithm Message authentication algorithm TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Authentication Identification Repudiation of origin Confidentiality Integrity Repudiation of emission

25 BACKGROUND AND CONCEPTS CIPHER SUITES: AGREEMENT CLIENT/SERVER DURING HANDSHAKE Hi! I can speak Dutch and English. Hi! I can speak Norwegian and English I would prefer Norwegian but since you wouldn t understand me, lets talk English! Client Server

26 BACKGROUND AND CONCEPTS CIPHER SUITES: AGREEMENT CLIENT/SERVER DURING HANDSHAKE The server has a list of supported cipher suites in order of preference The server chooses the cipher suite which will be used based on what the client indicates it supports If the server supports a poor cipher suite (even with a low priority) the client can indicate it only supports that one and it will be used! Some cipher suites do not do encryption, key exchange or message integrity checking

27 BACKGROUND AND CONCEPTS USING A TLS CONNECTION IS NOT SECURE BY DEFAULT! Lets do security! Lets not check each others identity, do encryption or integrity checks, ok? Good idea! Lets do that! Sure! Yay! We re secure! Client Server

28 BACKGROUND AND CONCEPTS 1 2 One way TLS Two way TLS

29 BACKGROUND AND CONCEPTS ONE WAY The client does not send a certificate the server can check The server sends a certificate the client can check

30 BACKGROUND AND CONCEPTS TWO WAY The client sends a certificate the server can check The server sends a certificate the client can check

31 BACKGROUND AND CONCEPTS CONSIDERATIONS ONE OR TWO WAY SSL Do you require validation of the client? Are client and server located in the same data center? Is the server publicly exposed? Can you control the client? Force the client to use a client certificate? Manage client certificates next to server certificates Performance. Per TLS connection extra validations need to be performed. More network traffic is required since the client also sends a certificate

32 TLS IN SOA SUITE OUTBOUND 2-WAY 1 2 Composites Service Bus

33 TLS IN SOA SUITE Composites: one client certificate for 2-way TLS per domain Service Bus: multiple client certificates for 2-way TLS configurable per service

34 TLS IN SOA SUITE COMPOSITES Configure the composite identity keystore This is domain level configuration! Not customizable per service Configure keystore password and key password Add CSF entries in the folder SOA Configure composite reference for 2-way SSL <property name= oracle.soa.two.way.ssl.enabled >true</property>

35 TLS IN SOA SUITE SERVICE BUS PKICredentialMapper Create a PKICredentialMapper in WebLogic Console Configure the keystore and keystore password to use ServiceKeyProvider Create a ServiceKeyProvider in a project (or a shared location) This uses the PKICredentialMapper. Contains a reference to the key and key password

36 TLS IN THE ORACLE CLOUD 1 2 IaaS and Compute based PaaS Non Compute based PaaS and SaaS

37 TLS IN THE ORACLE CLOUD IAAS AND COMPUTE BASED PAAS Services in which the customer can access the VM Like Java Cloud Service, Database Cloud Service bring your own host name policy The customer is responsible for requesting a certificate and implementing it

38 TLS IN THE ORACLE CLOUD NON COMPUTE BASED PAAS AND SAAS Services like ICS SOACS Mobile Cloud Service Document Cloud Service Sales Cloud ERP Cloud Oracle offers a (wildcard) certificate per cloud service per region Cipher suites are preconfigured not configurable

39 TLS IN THE ORACLE CLOUD CIPHER SUITES TLS 1.2 GCM cipher suites are not supported. These offer integrity checking. Several SHA cipher suites (next to SHA256). These are vulnerable against collision attacks RSA key exchange does not provide forward secrecy TLS_RSA_WITH_3DES_EDE_CBC_SHA Is a weak cipher suite TLS 1.0 is supported Possibly vulnerable for POODLE and BEAST

40 APPLICATION SECURITY 1 2 SOAP, REST WS Security in OWSM

41 WHAT DO YOU HOPE TO ACHIEVE? Confidentiality Integrity Authentication Identification Authorization Access to specific resources Entitlements

42 APPLICATION SECURITY HTTP OAuth Basic authentication Cute, but (mostly) - Plaintext passwords are transmitted - Plaintext usernames are transmitted - Re-usable tokens are exchanged REST/JSON JSON Web Tokens (JWT) JSON Object Signing and Encryption (JOSE) SOAP/XML SAML WS-Security Fixes that!

43 APPLICATION SECURITY SECURE TOKEN SERVICE Tokens can be transmitted as part of the HTTP body in an HTTP header

44 APPLICATION SECURITY SECURE TOKEN EXAMPLES

45 AUTHENTICATIE / IDENTIFICATION WS SECURITY TOKENS 1 2 UsernamePassword token Digest token

46 APPLICATION SECURITY WEBLOGIC SERVER: ORACLE WEBSERVICE MANAGER Centrally define and store declarative policies applied to the multiple Web services. Locally enforce policies through configurable agents. Monitor run time security events such as failed authentication or authorization.

47 AUTHENTICATION WS-SECURITY BASED ON USERNAME/PASSWORD WS-Security Username Authentication oracle/wss_username_token_client_policy oracle/wss_username_token_server_policy

48 AUTHENTICATION WS-SECURITY USING A DIGEST TOKEN WS-Security offers digest based authentication A digest consists of a cryptographic hash of A password A nonce: a number which can be used only once A timestamp

49 AUTHENTICATION WS-SECURITY USING DIGEST TOKEN IN WLS/OWSM WebLogic Server + OWSM Only with WLS internal LDAP Passwords should be decryptable to generate digests Can only authenticate users created after the digest configuration has been applied Nonce A nonce can be cached in Coherence Mind the Coherence cluster configuration!

50 AUTHORIZATION oracle/binding_authorization_template Role based access to a binding oracle/component_authorization_template Role based access to a component oracle/component_permission_authorization_template Authenticated subject can access component / webservice operation

51 INTEGRITY AND CONFIDENTIALITY Confidentiality: XML Encryption Message encryption Integrity: XML Signature Messages have not been altered since signing Signature can be checked to confirm the clients identity party

52 INTEGRITY AND CONFIDENTIALITY ORACLE WEBSERVICE MANAGER: POLICIES oracle/wss10_message_protection_client_policy oracle/wss11_message_protection_client_policy oracle/wss10_message_protection_server_policy oracle/wss11_message_protection_server_policy KSS keystore: Key alias JKS keystore: CSF entry in oracle.wsm.security

53 CONFIDENTIALITY PERSONALLY IDENTIFIABLE INFORMATION oracle/pii_security_policy Encryption of Personally Identifiable Information (PII) Only within a composite Want to use the value? Decrypt! (using Java embedding)

54 CONFIDENTIALITY PERSONALLY IDENTIFIABLE INFORMATION oracle/pii_security_policy Encryption of Personally Identifiable Information (PII) Only within a composite Want to use the value? Decrypt! (using Java embedding)

55 1 2 Considerations Food for thought

56 PERFORMANCE WS SecureConversation The number of authentications is reduced System entropy (especially on VMs) Preemptive basic authentication

57 CONSIDERATIONS Manageability Testability Complexity Performance Flexibility License fee Coverage Futureproof DTAP Capabilities of software Sensitivity of data

58 FOOD FOR THOUGHT GDPR Do you know what Personally Identifiable Information (PII) exactly is? Do you know which measures are required for the PII data you have? Do you know where your PII data is located, cached, stored (backups?), aggregated, analyzed,? Do you know who can access / has accessed this data? And for what reason? Do you know which agreements (for storing, processing, transmitting) are required and who is responsible for them? Do you have data lifecycle management in place? Can you remove PII data upon request? Can you provide a client with all their PII data you have on them?

59