Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Similar documents
Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record

SAP Security in a Hybrid World. Kiran Kola

zentrale Sicherheitsplattform für WS Web Services Manager in Action: Leitender Systemberater Kersten Mebus

Configure Principal Propagation using Logon tickets in Net weaver Process Integration 7.1

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

ITCertMaster. Safe, simple and fast. 100% Pass guarantee! IT Certification Guaranteed, The Easy Way!

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

Ellipse Web Services Overview

Overview SENTINET 3.1

Identity Provider for SAP Single Sign-On and SAP Identity Management

API Security Management with Sentinet SENTINET

C exam. IBM C IBM WebSphere Application Server Developer Tools V8.5 with Liberty Profile. Version: 1.

SAP HANA Operation Expert Summit BUILD User Management & Security Overview Andrea Kristen/SAP HANA Product Management May 2014.

Identity-Enabled Web Services

Federated Web Services with Mobile Devices

Sentinet for BizTalk Server SENTINET

Security Assertions Markup Language (SAML)

API Security Management SENTINET

Network Security Essentials

Access SAP Business Functions (ABAP) via Web Services

Service Interface Design RSVZ / INASTI 12 July 2006

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Building Web Services with Java and SAP Web Application Server

Oracle Developer Day

National Identity Exchange Federation. Web Services System- to- System Profile. Version 1.1

Warm Up to Identity Protocol Soup

SAML-Based SSO Solution

J2EE APIs and Emerging Web Services Standards

Goal: Offer practical information to help the architecture evaluation of an SOA system. Evaluating a Service-Oriented Architecture

TIBCO ActiveMatrix Policy Director Administration

OpenIAM Identity and Access Manager Technical Architecture Overview

BEAAquaLogic. Service Bus. JPD Transport User Guide

Berner Fachhochschule. Technik und Informatik. Web Services. An Introduction. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel

Lesson 13 Securing Web Services (WS-Security, SAML)

SAML-Based SSO Solution

Web Services in Cincom VisualWorks. WHITE PAPER Cincom In-depth Analysis and Review

Tivoli Federated Identity Manager. Sven-Erik Vestergaard Certified IT Specialist Security architect SWG Nordic

1Z Oracle SOA Suite 12c Essentials Exam Summary Syllabus Questions

Synchronization of Services between the IBM WebSphere Services Registry & Repository and SAP s Services Registry

SAP NetWeaver Process Integration 7.1. SAP NetWeaver Regional Implementation Group SAP NetWeaver Product Management December 2007

Concepts of Web Services Security

SSO Integration Overview

SAP Single Sign-On 2.0 Overview Presentation

CREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

Implementing a Ground Service- Oriented Architecture (SOA) March 28, 2006

Integrating Legacy Assets Using J2EE Web Services

Security and Risk Management

Authentication. Katarina

Oracle SOA Suite 11g: Build Composite Applications

Federated Identity Manager Business Gateway Version Configuration Guide GC

SAP EDUCATION SAMPLE QUESTIONS: C_TBIT51_73. Questions. Note: There are 2 correct answers to this question. developer. the basis administrator.

BEAAquaLogic. Service Bus. Upgrade Guide

DEVELOPER GUIDE PIPELINE PILOT INTEGRATION COLLECTION 2016

Chapter 17 Web Services Additional Topics

INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD

All about SAML End-to-end Tableau and OKTA integration

Using IBM DataPower as the ESB appliance, this provides the following benefits:

IBM Exam C IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ]

Blueprinting Questionnaire Sample

SOA Security Scenarios: WebAS Java, Message Level Security with no Transport Guarantee

Michael Wegelin and Michael Englbrecht SAP. Interface Programming. Bonn Boston

Canadian Access Federation: Trust Assertion Document (TAD)

Vendor: IBM. Exam Code: Exam Name: IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

Cloud Access Manager Overview

A Signing Proxy for Web Services Security

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

ActiveVOS Technologies

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

CA SiteMinder Web Services Security

Web Services Registry Web Service Interface Specification

Zendesk Connector. Version 2.0. User Guide

DESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION

IEC Implementation Profiles for IEC 61968

Security aspects of XML and Web services

Oracle Fusion Middleware

Smarter Business Agility with WebSphere DataPower Appliances Introduction

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Programming Web Services in Java

Oracle SOA Suite 12c: Build Composite Applications. About this course. Course type Essentials. Duration 5 Days

eid Interoperability for PEGS WS-Federation

SDN Community Contribution

John Heimann Director, Security Product Management Oracle Corporation

Oracle Fusion Middleware

Sentinet for Windows Azure VERSION 2.2

Unified Secure Access Beyond VPN

ADFS Setup (SAML Authentication)

Quality - The Key to Successful SOA. Charitha Kankanamge WSO2 February 2011

Oracle Fusion Middleware

Introduction to Web Services & SOA

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

The Business of Identity: Business Drivers and Use Cases of Identity Web Services

Oracle Communications Services Gatekeeper

Introduction to Web Services & SOA

ADP Federated Single Sign On. Integration Guide

Web Services Architecture Directions. Rod Smith, Donald F Ferguson, Sanjiva Weerawarana IBM Corporation

ACORD Web Services Profile: 2.0 vs. 1.0

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

Transcription:

Enterprise SOA Experience Workshop Module 8: Operating an enterprise SOA Landscape

Agenda 1. Authentication and Authorization 2. Web Services and Security 3. Web Services and Change Management 4. Summary SAP 2008 / Page 2

Business Roles and Privileges Business Roles Represent the business tasks of an employee Are usually defined as part of a business process Can be set up in hierarchies Are a combination of privileges and/or other business roles Are usually assigned to end users Business Roles Manager Accounting User User Privileges Represent the access information or technical authorizations (like ABAP authorization roles, UME roles, Portal roles, AD groups, ) External Service User E-Mail Privileges AD-User End user (Portal Role) Accounting (ABAP Role) Manager (ABAP Role) Are system specific can span internal and external systems Employer outsourced Service (e.g. Travel Service) E-Mail System Active Directory SAP NetWeaver Portal SAP FI SAP HR Corporate Systems SAP 2008 / Page 3

Role Definition and Provisioning Role Definition (design, 1-time) Read system access information (roles, groups, authorizations, ) from target systems Define a business role hierarchy Assign technical roles to business roles Develop rules for role assignments Provisioning (regularly) Assign or remove roles to/from people manually through Workflow or automatically, e.g. HR-driven/event-driven Automatic adjustment of master data and assignments of technical authorizations in target systems Connectors: ABAP (BAPI from 4.6c onwards) Java (SPML from SAP NetWeaver 04 onwards) Non SAP (MS ADS, LDAP, and others) Connector API in Java SAP NetWeaver Identity Management Password Management Identity Virtualization Roles and Assignments Provisioning Reporting Data Synchronization SAP 2008 / Page 4

Service Consumer Application Service Provider Application Enterprise Services Authentication and Single Sign-On Authentication can occur with solutions that are available with: the transport (HTTP protocol) the message (SOAP protocol) Message level mechanisms build on transport level authentication levels not mutually exclusive Authentication solutions supported by SAP NetWeaver: Service Message Level WSS Username Token Profiles WSS X.509 Certificate Token Profiles WSS SAML Token Profiles* Service Transport Level User ID and Password X.509 Client Certificates Logon Tickets SAP 2008 / Page 5 *support with SAP NetWeaver CE and PI 7.1. Down ported to SAP NetWeaver AS ABAP 7.0 SP14 and higher

Security Assertion Markup Language (SAML) SAML is an established OASIS standard to provide open, standard-based and interoperable Single Sign-On in heterogeneous landscapes SAML is a security protocol for Encoding authentication (and authorization) information in XML Assertions Verifying authentication against a SAML assertion authority source site Exchanging authentication information in a request/response fashion SAML provides Single Sign-On after an initial authentication Comparable to SAP Logon Tickets but not cookie based For secure message exchange SAML uses standard security protocols like SSL, TLS and XML signatures Support for SAML is strategic within SAP and will be continuously enhanced SAP 2008 / Page 6

Benefits of Security Assertions Markup Language (SAML) Interoperable security solution to allow systems integration with great ease and minimal resources SAML is a protocol for encoding security related information (assertions) into XML and exchanging this information in a request/response fashion Provides standard based mechanisms to exchange security information using SOAP, HTTP(s) SAML is an OASIS standard Domain Boundary SAML SAP Logon Ticket SAP 2008 / Page 7

Securing Single Sign On with SAML Assertions SAML authorities produce assertions in response to client requests. An assertion can consist of Authentication Statement: piece of data that represents an act of authentication performed on a subject (user) by the authority Authorization Statement Attribute Statement SAML Assertion Authentication Statement Other Statements SAP 2008 / Page 8

SAML Based Single Sign-On Scenarios SAML Identity Provider SAML Service Provider Web Browser based SSO SAML Browser/Artifact Profile SAML Standard Web Service based SSO SAML Token Profile Web Service Security Standard Service Consumer SAP 2008 / Page 9

SAML Token Profiles: Sender Vouches Subject Scenario Underlies Principal Propagation with Process Integration 7.1 How it works: client application Service call through Logical Port Service Provider Application Service Consumer SAML Identity Provider Service Provider Enables access to provider-side resources via consumer side user context in message in an interoperable way User access to service verified by consumer system with a SAML assertion SAP 2008 / Page 10

Secure Propagation of User Identity Goal Enforce user-based access control for distributed application processes Audit user access in service provider backend Securely pass the identity of a user in a system-to-system service call Service Client Service Provider HTTP SOAP over HTTP Bob User Authentication/SSO to Portal Web application User Identity Propagation for Web Service Call Solutions supporting secure Service Client to Service Provider identity propagation: SAP service consumers: Heterogeneous system landscapes: Bob Logon Tickets WSS SAML Token Profiles SAP 2008 / Page 11

Agenda 1. Authentication and Authorization Identity Management 2. Web Services and Security 3. Web Services and Change Management 4. Summary SAP 2007 / Page 12

WS-Security Motivation The SOAP protocol on its own does not provide any security mechanisms for Message Integrity & Confidentiality Authentication Non Repudiation of origin or receipt But: SOAP can be extended to provide additional features Up to the year 2002, best practice was to secure Web Services using Secure Sockets Layer (SSL) SOAP Envelope SOAP Header SOAP Body Data SOAP message format But SSL provides transport not application-level security SOAP Messages secured point-to-point, not end-to-end Messages stored unencrypted in files or databases at intermediaries not independent of underlying transport protocol WS-Security submitted to standards body (OASIS) in Sept 2002 and approved as an OASIS Standard in April 2004 SAP 2007 / Page 13

WS-Security in SAP NetWeaver Core Concepts Security Templates describe the security (i.e. Signature) used to protect the message (What will be protected). They define common security best practice scenarios Security Profiles define the runtime configuration of a Service or Consumer (Proxy) based on a Security Template (How will the message be protected) One profile may be assigned to multiple operations - that is, when the same certificate is to be used for an XML Signature, or different profiles of the same template are used for operations with different XML Signatures Service Consumer SOAP Request Service Provider operation() Outbound Inbound Inbound Outbound operation() Inbound/Outbound Security Profile based on a Security Template SOAP Response SAP 2008 / Page 14

WS Security in SAP NetWeaver Extended message level security options for Web Services Message authentication Username token profiles X.509 certificate token profiles SAML token profiles Message guarantees XML signatures XML encryption Web Service Reliable Messaging Message security configuration WS Security Policy WS Trust SOAP Envelope SOAP Header WS-Security Header SOAP Body Data Security Token Timestamp Signature Encrypted Key + Data SAP 2008 / Page 15

Point to Point Service Consumption Simplified Example System security Service destination to provider Exchange system certificates with provider Setup transport security (SSL) - optional Application security Define web access authentication configuration (in ticket policy configuration) Authorization check with UME Service security Acquired fromon WS Security Policy definitions in WSDL Create new LP must sync with SEI System security Exchange system certificates with Consumer Setup Service User / User Mapping (ABAP / Portal) Setup secure communication (SSL) - optional Application security Role based authorization check Service security Authentication requirements in SEI Service guarantees in SEI Confidentiality (SSL / XML enc) Integrity (XML Sign) WS-Reliable Messaging and fault reports Secure Conversation (with SSL for bootstrap) Setup service call via proxy Consumer CONSUMER APPLICATION tad LOGICAL PORT DIRECT CONNECTION SERVICE ENDPOINT Provider SERVICE IMPLEMENTATION Bob Service User / Bob SAP 2008 / Page 16

Mediated consumption via Process Integration 7.1 Service call through Process Integration provides for value added services Single point for service provisioning from various providers Service Routing, BPM and Mapping Connectivity to backend systems Asynchronous service capabilities XML schema validation for protecting message contents against misuse Security options for letting user Bob access to provider: Direct Access: User ID/Password (service user based) X.509 Certificate (service user based) SAML Tokens (propagate end user) Logon Ticket (propagate end user) Refined access control for brokered access Principal Propagation via PI: SAML Token Profile (message) Logon Tickets (transport) Consumer CONSUMER APPLICATION tbd LOGICAL PORT Bob SERVICE ENDPOINT Process Integration ROUTING MAPPING BPM SERVICE ENDPOINT INTERFACE ADAPTER Provider Provider SERVICE IMPLEMENTATION SERVICE IMPLEMENTATION Service User / Bob SAP 2008 / Page 17

Security Administration in SAP NetWeaver Administrator Efficient management of security through integrated interface accessible from a Web browser Centralized and web based administration of security functionality through integration in SAP NetWeaver Administrator Key Storage, Virus Scan, Destinations, Authentication Trusted Systems SSO2 Logon Ticket Configuration Wizard SAML Browser Artifact SAML Token Profiles Identity Management (User Management Engine user interface) Web Service Security configuration management Mass Administration for service provisioning Remote logging and monitoring administration with Computer Center Management System Functionality for landscape-based security management with System Landscape Directory functions (continuously enhanced) SAP 2008 / Page 18

SAP NetWeaver Administrator Mass Service Provider Administration Consumer System Destination Service User Mech. = Service User in message Ticket Single Sign On Mech. = SAML Account Service User Account Ticket Logon Provider System Consumer Group Employee Services : LeaveRequestOverviewService ChangeBankDataService Two runtime configurations on provider and consumer side: Profile/Domain Supported Authentication Mechanisms SAML (always possible) Assertion Ticket Username/Password in message Provider Side Consumable via HTTPS Supported Authentication Mechanisms: SAML, Assertion Ticket, Username/Password in message Consumer Side Uses HTTPS LeaveRequestOverViewService uses service user authentication (Account s Service User) ChangeBankDataService uses SAML authentication SAP 2008 / Page 19

Agenda 1. Authentication and Authorization Identity Management 2. Web Services and Security 3. Web Services and Change Management 4. Summary SAP 2007 / Page 20

Web Service Change Management and Interoperability Types of interaction with a Services Registry Publish/Unpublish/Update (service provider service registry) Find/Browse/Discover (service consumer/requester service registry) Invoke/Bind (service consumer/requester service provider) Challenges A WebService is typically consumed by multiple consumer Web service that has been running for a while it will most likely change in some regard (e.g. security configuration, bug fixes, or others) Solution Approach for UDDI 3.x with Subscriptions: UDDI version 3 provides the Subscription API Set, which is a mechanism that allows Web service consumers to subscribe to certain search criteria or directly to certain UDDI entities in order to get informed about changes in the registry. SAP 2008 / Page 22

UDDI Notification Mechanisms Synchronous change tracking Asynchronous notifications SAP 2008 / Page 23

Agenda 1. Authentication and Authorization Identity Management 2. Web Services and Security 3. Web Services and Change Management 4. Summary SAP 2007 / Page 24

SAP NetWeaver Platform Based Security Solutions: Integrated infrastructural services for meet requirements of diverse enterprise environments REQUIREMENT SAP NETWEAVER Empower business users Delegated user and content administration with centralized Identity Management for landscapes Support for flexible service and user authentication and SSO solutions Simplify administration and ensure business continuity with lower TCO Integrated security administration in Web-based NetWeaver Administrator SAP NetWeaver Identity Management Standards-based security solutions Native support for interoperable and flexible security solutions based on open standards JAAS SAML SPML GSS API WS-Security WS-Secure Conversation WS-Policy and WS-SecurityPolicy WS-Reliable Messaging Security Solutions for Enterprise Service Oriented Architectures and Process Integration Infrastructure-based protection of SAP NetWeaver applications against common attacks WS-Security, WS Security Extensions* SAML Browser Artifacts and WSS SAML Token Profiles Service Repository and Composites Security Access control and secure key management Virus Scanning interface, Output Encoding, Blacklist filtering, XML Schema Validation with PI 7.1 *support for XML Signatures, Username and Certificate token Certificates. Full support for XML Encryption and SAML Token Profiles with SAP NetWeaver 7.10, down port to SAP NetWeaver 7.0 AS ABAP SP 14 and higher SAP 2008 / Page 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback