Container-Native Applications

Similar documents
Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

TIBCO Cloud Integration Security Overview

Qualys Cloud Platform (VM, PC) v8.x Release Notes

Single Sign-On for PCF. User's Guide

NGINX: From North/South to East/West

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

ARCHITECTURING AND SECURING IOT PLATFORMS JANKO ISIDOROVIC MAINFLUX

Cloud Native Security. OpenShift Commons Briefing

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

How to use or not use the AWS API Gateway for Microservices

Warm Up to Identity Protocol Soup

Identity Management and Compliance in OpenShift

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

OPENSHIFT 3.7 and beyond

SECURE YOUR INTEGRATIONS. Maarten Smeets

MSB to Support for Carrier Grade ONAP Microservice Architecture. Huabing Zhao, PTL of MSB Project, ZTE

Easily Secure your Microservices with Keycloak. Sébastien Blanc Red

Authentication in the Cloud. Stefan Seelmann

70-532: Developing Microsoft Azure Solutions

70-532: Developing Microsoft Azure Solutions

Unified Secure Access Beyond VPN

openid connect all the things

ArcGIS Server and Portal for ArcGIS An Introduction to Security

ENHANCE APPLICATION SCALABILITY AND AVAILABILITY WITH NGINX PLUS AND THE DIAMANTI BARE-METAL KUBERNETES PLATFORM

Transport Layer Security

A Comparision of Service Mesh Options

Cloud I - Introduction

Migrating Hundreds of Legacy Applications to Josef Adersberger, CTO,

Managing your microservices with Kubernetes and Istio. Craig Box

Istio. A modern service mesh. Louis Ryan Principal

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Enterprise Node.js Support

API Security Management with Sentinet SENTINET

Transport Level Security

Distributed API Management in a Hybrid Cloud Environment

Service Mesh with Istio on Kubernetes. Dmitry Burlea Software FlixCharter

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Integration Patterns for Legacy Applications

OAuth and OpenID Connect (IN PLAIN ENGLISH)

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

API MANAGEMENT WITH WEBMETHODS

OpenShift on Public & Private Clouds: AWS, Azure, Google, OpenStack

Qualys Cloud Platform

The Modern Web Access Management Platform from on-premises to the Cloud

Securing the Elastic Stack

ForgeRock Access Management Customization and APIs

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Going Serverless. Building Production Applications Without Managing Infrastructure

SAP Security in a Hybrid World. Kiran Kola

Big Data Security. Facing the challenge

zentrale Sicherheitsplattform für WS Web Services Manager in Action: Leitender Systemberater Kersten Mebus

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Service Mesh and Microservices Networking

ONAP Security using trusted solutions. Intel & Tech Mahindra

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Red Hat Roadmap for Containers and DevOps

Ingress Kubernetes Tutorial

OpenShift Dedicated 3 Release Notes

Liferay Security Features Overview. How Liferay Approaches Security

Exam : Implementing Microsoft Azure Infrastructure Solutions

DevOps CICD PopUp. Software Defined Application Delivery Fabric. Frey Khademi. Systems Engineering DACH. Avi Networks

How to Re-Architect without Breaking Stuff (too much) Owen Garrett March 2018

WSO2 Identity Management

All about SAML End-to-end Tableau and OKTA integration

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Sentinet for BizTalk Server SENTINET

F5 BIG-IP Access Policy Manager: SAML IDP

Securing APIs and Microservices with OAuth and OpenID Connect

Single Sign-On Best Practices

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Elastic Load Balancing. User Guide. Date

Salesforce1 Mobile Security White Paper. Revised: April 2014

EMS Platform Services Installation & Configuration Guides

SSO Integration Overview

CS November 2018

StreamSets Control Hub Installation Guide

API Security Management SENTINET

Red Hat Quay 2.9 Deploy Red Hat Quay on OpenShift

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

User Directories. Overview, Pros and Cons

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

CA SSO Cloud-Enabled with SSO/Rest

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

Cisco Container Platform

Kubernetes: Twelve KeyFeatures

Red Hat Quay 2.9 Deploy Red Hat Quay - Basic

AWS IoT Overview. July 2016 Thomas Jones, Partner Solutions Architect

Service Mesh and Related Microservice Technologies in ONAP

Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

IBM Watson Content Hub. Architecture Overview

Guidelines on non-browser access

Design and development of a distributed, secure and resilient vault management system

Developing Microsoft Azure Solutions (70-532) Syllabus

AWS Integration Guide

Amazon Web Services (AWS) Solutions Architect Intermediate Level Course Content

SecDevOps Securing DevOps. Aarno Aukia VSHN AG The DevOps Company

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Transcription:

Container-Native Applications Security, Logging, Tracing Matthias Fuchs, @hias222 DOAG 2018 Exa & Middleware Days, 2018/06/19

Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 3

Microservices Example Flow Implementatition Cloud Access through Loadbalancer Login with OAuth Angular App Logging Tracing Docker Images Logging Service Docker Container Frontend Frontend Angular/nginx Angular/nginx Loadbalancer Services Services Rest/Spring Services Resource Rest/Spring Server Resource Rest/Spring Server Resource Server Login Web Service Call Web Page Call App Authorization Server OAuth Persistence Logging 4 4

Integrated Cloud Services Logging Oracle Management Cloud (Agents) Elastic Search Kibana (Cloud Watch, Lamdba, Elastic) Authentication/Authorization Oracle Identity Service Cognito, Keycloak, OAM, Ping Identity Docker Services Infrastructure Container Service - Kubernetes Enterprise Container Services (AWS), Openshift Google Kubernetes Engine Service Rest/Spring Resource Servce Server Rest/Spring Resource Server Service Logging Identity Container 5

Parameter More Cloud Services Object Storage, maybe File Storage? Oracle Key Vault (Cloud ready?) Identity and Access Management (IAM) AWS Secrets Manager Hashicorp Vault S3 Buckets, Systems Manager Parameter Store Secrets 6

Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 7

Container Services Application Container (PaaS) Container Service Classic (IaaS) Oracle Cloud Infrastructure (OCI) Own VMs or Bare Metal Kubernetes (wercker) 8

Kubernetes in Oracle Cloud 9

Kubernetes Architecture 10 https://kubernetes.io/docs/concepts/architecture/cloud-controller/

11

Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 13

Logging/Monitoring Cloud Services Self Service Logging Services Services Services Services Agent Infrastructure Data Metric App Data Cloud Service Dashboard Analyze 14

Oracle Cloud Agent Cloud agents on hosts where entities are running. Cloud agents collect metrics and logs data that is processed, analyzed and visualized in Oracle Management Cloud. APM agents specifically for monitoring applications end to end. APM agents can be configured for a wide range of application servers and they collect metrics that are processed, analyzed and visualized in Oracle Application Performance Monitoring. 15

Logging in Microservices Centralize and Externalize Log Storage Log Structured Data Correlation IDs Dynamic Logging Levels and async Logging For analyses and search, user information, security concept 18

Log View Kibana/Lambda/CloudWatch Oracle 19

Logging in Microservices User information Security aware Security Concept Security Correlation ID Basic for Tracing Common log structure (JSON, XML,..) Tracing 20

Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 22

IAAA Framework for Microservices APIs Identification Must support multiple identities and attributes (end users, system components, domains) Authentication Must support multiple authentication methods as well as delegated authentication Authorization Authorization for a single request may be decided at multiple points in the request path Accountability Capture of relevant security data or metadata from API messages 23

Current Approches Network Network-Level Controls Localhost, Network isolation SSL SPIFFE SPIFFE Secure Production Identity Framework for Everyone SPIFFE is a set of open-source standards for securely identifying software systems in dynamic and heterogeneous environments Infra Tookens Application-Level Controls (Tokens) Oauth, OpenID Connect, JWT Infrastructure API Intermediaries API Gateway, Service Proxies Network Overlays Kubernetes, CloudFoundry, AWS IAM, Rules SAML Next Application-Level Controls (Traditional) Cookie-based Sessions, SAML Emerging Approaches Serverless, Service Mesh Istio, nginx DHARMA Foundational Concepts 24

Network: TLS, SSL, openssl TLS separate protocol mostly based on HTTP As interceptor between existing protocols e.g. HTTP - TCP Interceptor on other application protocols (SMTP, Kafka,..) Transparent out of the scope of user or client Not possible with all transport protocols e.g. UDP Always use it 19.06.18 26 26

Network: TLS, SSL, openssl Higher Layer Handshake Change Cipher Spec, depends on handshake Alert Protocol Application Data Protocol TLS Layer Fragment Compression Encrypt to cipher spec Add Header Application Layer e.g. HTTP SSL/TLS Higher Layer Subprotocol TLS Layer Subprotocol Transport Layer TCP Network Layer IP 19.06.18 27 27

https://www.youtube.com/watch?v=iqigxgccezi Modern Secret Managements with Vault, HashiCorp 28

Tokens: OAuth 2.0/(OpenID Connect) OAuth History Open Authorization ca. 2008: OAuth 1.0 IETF Group 2012: OAuth 2.0 ca. 2014 OpenID Connect (Extension ofoauth 2.0) Before: SAML - SSO for web applications Security Assertation Markup Language SAML since 2002, SAML 2.0 2005 29 29 19.06.18

Java Script Third Party Implicit Redirect/Callback Call: response_type=access_token& client_id&redirect_uri Response: Access Token Refresh Token Authorization Code OAuth Resource Owner Credentials Backward OAuth 1.0 Call: Response: grant_type=password Username/password + Client credentials Access Token or Refresh Token Redirect/Callback Call: Response_type=code& client_id&redirect_uri Response: Authorization Code 2 Trip: Access Token Client Credential Call: Response: Client: grant_type=client_credentials Client_id/client_secret Access Token Application 30

Infra: API or Access Gateway API Gateway Central Midtier Loadbalncer Switches Security Many more Features like throttling or routing Loadbalancer Other Services Tokens Mutual TLS API GAteway e.g. SSL+Header Information Docker Container Services Frontend Services Frontend Rest/Spring Services Angular/nginx Angular/nginx Resource Rest/Spring Server Resource Rest/Spring Server Resource Server 32

Infra: Example Access GW Access Mgmt Proxy OpenID Token Identity Federation Mutual TLS CloudFoundry Routing TLS Authentication Header Mutual TLS 3rd Party 33 LDAP Login, Token App -> Auth Service Apps Apps Apps

Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 34

Tracing Wikipedia: In software engineering, tracing involves a specialized use of logging to record information about a program's execution. This information is typically used by programmers for debugging purposes, and additionally, depending on the type and detail of information contained in a trace log, by experienced system administrators or technical-support personnel and by software monitoring tools to diagnose common problems with software. Tracing is a cross-cutting concern. 35

Microservice and Tracing Distributed Tracing Collect all Traces on central position Correlated our tracing Information Extended Logging Create Correlation ID Take existing Correlation ID Collect central for analyze 36

Poor Man's Distributed Tracing One solution is at the beginning of the call chain we can create a CORRELATION_ID and add it to all log statements. Along with it, send CORRELATION_ID as a header to all the downstream services as well so that those downstream services also use CORRELATION_ID in logs. This way we can identify all the log statements related to a particular action across services. 37 https://dzone.com/articles/microservices-part-6- distributed-tracing-with-spri

Where to create Correlation ID 1. Client 2. LB API GW 3. Identity 4. First Service Docker Container Frontend Frontend Angular/nginx Angular/nginx 2 1 Loadbalancer/ API Gateway Services Services Rest/Spring Services Resource Rest/Spring Server Resource Rest/Spring Server Resource Server 4 Authorization Server OAuth 3 Persistence Logging 38

Enterprise Way: Correlation IDs Identity ECID Execution Context ID Down to DB Header trace and span ids Header X-Amzn- Trace-Id Header X-ORACLE-DMS-ECID X-ORACLE-DMS-RID or build your own library 39

Example: ID Tracing shared Library 40

Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 43

Service Mesh - Istio Standard: Docker Container Frontend Angular/nginx Services Rest/Spring Resource Server Docker Container Istio Sidecar: Proxy Frontend Angular/nginx Proxy Services Rest/Spring Resource Server 44

Istio Detail - Sidecar 45 https://istio.io/docs/concepts/what-is-istio/img/overview/arch.svg

Example View 46

Service Mesh - Istio Easy To use Quick implementation Easy Monitoring For Correlation ID extra dependency Complex Architecture 47

Microservice Example Flow Oracle Cloud Details Logging Security, OAuth, TLS Tracing Service Mesh Lessons Learned Agenda 48

Lessons Learned Infrastructure and Development, DevOps Prepare your Infrastructure with logging etc. Start setup infrastructure from first development Logging, Tracing isn t easy User authentication/authorization Choose your way to authenticate user Maybe cloud Services are the fastest way, but customization Using open source Frameworks, Cloud Services or enterprise apps? The key for success 49

50

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback