DEPLOYING MULTI-TIER APPLICATIONS ACROSS MULTIPLE SECURITY DOMAINS

Similar documents
Security Assertions Markup Language (SAML)

SAML-Based SSO Solution

SAML-Based SSO Solution

Canadian Access Federation: Trust Assertion Document (TAD)

Datapower is both a security appliance & can provide a firewall mechanism to get into Systems of Record

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Network Security Essentials

John Heimann Director, Security Product Management Oracle Corporation

Identity-Enabled Web Services

CA SiteMinder. Federation in Your Enterprise 12.51

Novell Access Manager 3.1

Vol. 1 Technical RFP No. QTA0015THA

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

Canadian Access Federation: Trust Assertion Document (TAD)

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

How to Configure Authentication and Access Control (AAA)

Integrating Legacy Authorization Systems into the Grid: A Case Study Leveraging AzMan and ADAM

Canadian Access Federation: Trust Assertion Document (TAD)

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Identity Provider for SAP Single Sign-On and SAP Identity Management

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Sentinet for BizTalk Server SENTINET

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Cloud Access Manager Overview

SOA-20: The Role of Policy Enforcement in SOA Management

Canadian Access Federation: Trust Assertion Document (TAD)

CA SiteMinder Federation

Integrated Security Context Management of Web Components and Services in Federated Identity Environments

Sentinet for Microsoft Azure SENTINET

Security Architecture for Open Grid Services

Kerberos on the Web Thomas Hardjono

Federated Identity Manager Business Gateway Version Configuration Guide GC

Sentinet for Windows Azure VERSION 2.2

Liferay Security Features Overview. How Liferay Approaches Security

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

SAP Security in a Hybrid World. Kiran Kola

Canadian Access Federation: Trust Assertion Document (TAD)

Unifie X Common Gateway Server (N Tier)

BusinessObjects Enterprise XI

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

SELF SERVICE INTERFACE CODE OF CONNECTION

Business White Paper IDENTITY AND SECURITY. Access Manager. Novell. Comprehensive Access Management for the Enterprise

1. Federation Participant Information DRAFT

Canadian Access Federation: Trust Assertion Document (TAD)

CA SiteMinder Federation

Canadian Access Federation: Trust Assertion Document (TAD)

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Access Manager Applications Configuration Guide. October 2016

Oracle Utilities Opower Solution Extension Partner SSO

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Guide to Deploying NetScaler as an Active Directory Federation Services Proxy

Canadian Access Federation: Trust Assertion Document (TAD)

Security and Certificates

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

CA Adapter. CA Adapter Installation Guide for Windows 8.0

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

DESIGN OF WEB SERVICE SINGLE SIGN-ON BASED ON TICKET AND ASSERTION

Dell One Identity Cloud Access Manager 8.0. Overview

InCommon Federation: Participant Operational Practices

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

SAML-Based SSO Configuration

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

Server Installation and Administration Guide

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Warm Up to Identity Protocol Soup

Canadian Access Federation: Trust Assertion Document (TAD)

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

Canadian Access Federation: Trust Assertion Document (TAD)

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

A solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga

ArcGIS Server Components: An Introduction to Server IT

EnterSpace Data Sheet

SafeNet Authentication Service

Canadian Access Federation: Trust Assertion Document (TAD)

Lesson 13 Securing Web Services (WS-Security, SAML)

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

The Identity Web An Overview of XNS and the OASIS XRI TC

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

A VO-friendly, Community-based Authorization Framework

CA CloudMinder. SSO Partnership Federation Guide 1.53

Security aspects of XML and Web services

Canadian Access Federation: Trust Assertion Document (TAD)

C exam. IBM C IBM WebSphere Application Server Developer Tools V8.5 with Liberty Profile. Version: 1.

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

Topics of Discussion

(9A05803) WEB SERVICES (ELECTIVE - III)

Strong Authentication for Web Services using Smartcards

Transcription:

DEPLOYING MULTI-TIER APPLICATIONS ACROSS MULTIPLE SECURITY DOMAINS Igor Balabine, Arne Koschel IONA Technologies, PLC 2350 Mission College Blvd #1200 Santa Clara, CA 95054 USA {igor.balabine, arne.koschel} @iona.com Abstract Keywords: In this paper we present an infrastructure layer, called Intermediary Security Platform (isp). which provides multi-tier applications with a uniform abstraction of the authentication and authorization services. The abstraction is achieved via an intermediary Security Service (is2). is2 presents applications with a uniform interface for authentication and authorization requests. In turn, is2 interfaces with Enterprise Security Systems (ESS) deployed at the site. isp provides multitier application components authentication services, authorization services, and a single sign-on facility, all of which can bridge multiple security domains established at the site. At the same time, user management tasks are still performed by dedicated ESS. isp architecture simplifies deployment of multi-tier applications on highly partitioned networks. authentication and authorization services, security architecture. multi-tier applications 1. INTRODUCTION When an Enterprise application performs its tasks, it decides whether a request can be carried out based on the access rights assigned to the request originator. Information about access rights associated with the requestor is typically stored and maintained by the Enterprise Security System (ESS) [1]. For highly developed Enterprise infrastructures, it is typical to have more than one ESS, each of which maintains one or more security domains in which service requestor's access rights are defined [2]. For example, a financial services company may maintain a Web access security domain, which specifies access rights for Internet-based users, and another security domain for granting access to the backend systems. The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35696-9_19 E. Nardelli et al. (eds.), Certification and Security in E-Services IFIP International Federation for Information Processing 2003

178 Igor Balabine, Arne Koschel Proliferation of Web services requires the bridging of multiple Enterprise security domains, so that Internet-based users are presented with a robust and seamless view of the service provided by the Enterprise. Crossing security domain boundaries requires proliferation of the requestor's identity from one security domain to another, in a highly controlled and secure manner governed by individual domains' policies and rules. In many cases, a requestor's identity defined in one domain must be transformed for performing service in another domain. and access control is enforced by ESS with different capabilities [3]. 2. BRIDGING SECURITY DOMAINS VIA A SECURITY PLATFORM Security Platform (isp) provides an abstraction layer that insulates applications from the authentication and authorization ESS, thus presenting a monolithic view of the security infrastructure. At the same time, isp allows applications to use the existing Enterprise security infrastructure more easily, and makes possible orderly and secure transitions between different security domains. These transitions. which may involve impersonated and delegated actions, are achieved via a focal isp component called Security Service (is2). The following example of a Web services based multi-tier application, presented in Fig. 1 demonstrates is2 functionality and capabilities. In this scenario, a web-based customer communicates with a Web Services Gateway. Based on the content of the customer's message, the Gateway dispatches the request to a second-tier service. which is either a Web service or a J2EE application deployed on a J2EE-compliant application server. A second such service invokes a CORBA based middleware application, which in turn passes the request to a mission-critical Enterprise application deployed on a mainframe computer. In this deployment. Enterprise security is enforced in two domains: the Front-End domain, in which Web applications are deployed. and the Back End domain, which hosts the Enterprise applications. The Front-end domain is served by a portal authentication and authorization system such as Netegrity SiteMinder, Evidian PortalXpert. etc. Windows Active Directory or Domain Controller, OS/390 RACF/ACF2ITop Secret access control facility, or a similar system governs security in the Back-End domain. When a web-based customer establishes initial connection with the Web Services Gateway. she submits her credentials, e.g., user id and password or a digital certificate, which is valid in the Front-End security domain and managed by the portal ESS (1). The Gateway authenticates the customer with the Front-End authentication server and establishes customer's identity and authorizations in the Front-End security domain. As a consequence of this operation, the Gateway may receive a session authentication token, which it will return to

Deploying Multi-tier Applications Across Multiple Security Domains 179 o o kreahnb" Enterprise System. e,g. Netegrity f:'\4 V Figure 1 Multi-tier service spanning multiple security domains the customer for use in subsequent invocations of the service. If the original user credentials or a portal authentication token is used to identify the Customer, then the steps described below are performed independently. Once Customer's identity is established, the Web Services Gateway dispatches the request to one of the second-tier services. For simplicity we assume that the request is dispatched to the Web Service. The Web Services Gateway uses an application-level protocol to pass verified requestor's identity information to the Web Service (2). This application-level protocol is a private contract between the Web Services Gateway and the Web service, and allows passing the requestor's identity (that is, the principal) in a secure fashion, based on the trust relationship initially established by the parties. The contract is based on a public key or a shared secret method, and could have a proprietary or a normalized format. For example, this contract could be expressed as a SAML (Security Assertion Markup Language) [4] security assertion. Upon receiving information about the requestor's identity (principal), the Web service issues an authorization request to the is2 instance A (deployed in the Front-End security domain) asking for a list of access rights associated with

180 Igor Balabine, Arne Koschel this principal in its authority sub-domain, or realm, - called "Realm K' (3). is2 uses a dedicated adapter to communicate with the portal authentication server and receives back a list of requestor's identities (principals) along with a list of user authorizations for the requested realm (4). After processing the request, the Web service forwards it to the middleware CORBA application for more processing on the backend. At this point the request is crossing the security domain boundary, and the Web service selects an identity known in the Back-End security domain-which could be same as the requestor's identity (principal) in the Front-End domain, or another identity selected according to the Enterprise security policy (5). In turn, the CORBA middleware application issues an authorization request to is2 instance B, deployed on the Back-End security domain, asking it to provide requestor's authorizations (6). In this example, the ESS in the Back End security domain does not support the single sign on functionality. In order to provide the single sign-on function, the is2 Single Sign On (SSO) facility is deployed with is2 instance B. In the above example OS/390 Remote Access Control Facility (RACF) provides authorization information (7) in the Back End security domain, and the SSO feature is supported by the is2 SSO facility. Upon verifying the authorizations, the CORBA middleware application dispatches the request to the mainframe Enterprise application, supplying an SSO authorization token in the CSIv2-compliant (Common Secure Interoperability) [2] security context of the HOP message that contains the request (8). The nop interceptor verifies the SSO authentication token and receives authorization information from the is2 instance B (9). The verified requestor's identity is propagated to the mainframe application, which engages standard RACF methods to authorize actions at the business decision level. 3. OTHER ISP ADVANTAGES The above example shows how is2-enabled applications can demonstrate seamless performance in a complex partitioned environment that provides endto-end security for a multi-tier service. Besides the features demonstrated in this example, use of an intermediate security platform infrastructure provides the following advantages: The applications can be easily moved between different security domains. Rather than having to make changes in the application's code, it can simply be reconfigured to point to a different is2 instance. For example, one or both second-tier services could be moved to the Back-End security domain by simply reconfiguring the is2 URL to point to the is2 instance B.

Deploying Multi-tier Applications Across Multiple Security Domains 181 is2 enabled applications are completely neutral with respect to changes in the ESS provider. Configuring is2 to use a different ESS adapter and configuring the ESS adapter itself accomplishes the change. is2 ESS adapters are simple but very powerful. Custom is2 ESS adapters allow combining multiple ESS providers and performing requestor's access rights aggregation across multiple security domains. All user management operations are performed via ESS tools commonly used by the IT personnel. is2 and is2 ESS adapters are easy to install and configure. is2 allows to achieve uniformity of features provided by different ESS. The is2 SSO facility provides out of the box single sign on functionality, and is2 Authorization Manager allows implementation of Role Based Access Control (RBAC) in environments that lack authorization functionality [3]. Applications' authentication and authorization queries are expressed as SAML (Security Assertions Markup Language) assertions [4]. The is2 SDK binds the assertions to the transport protocols and secure communications between applications and is2, according to the SAML security profiles guidelines [5]. SAML security profiles ensure that sensitive information contained in the authentication and authorization requests is protected from tampering and eavesdropping. Centralized communications between is2 ESS adapters and ESS simplify multi-tier application deployment in firewall-partitioned networks. is2 could be co-located on the network with ESS eliminating need for opening the inter-departmental firewall for proprietary transports often used by ESS (e.g. SiteMinder authentication protocol). is2 enabled applications may use traditionally accepted http over the SSL and IIOP over the SSL transports to communicate with is2. 4. CONCLUSION Introduction of an intermediate security platform concept provides a flexible and robust infrastructure for abstracting authentication and authorization services for the Enterprise grade multi-tier applications. This intermediate security layer allows integration with virtually all Enterprise Security Services and may provide missing components in the environments devoid of the authorization and the single sign-on functionality. IONA Technologies implemented the intermediate security platform concept as a framework built into its products. IONA Security Framework is currently being deployed at multiple customer sites. It provides a shareable single

182 Igor Balabine, Arne Koschel sign-on facility, PKI, and Enterprise Management Systems integration services to Enterprise applications. References [1] J. Adams. mm Grid Computing Strategy. 2 nd ApGrid Workshop, Taipei, May 2002. [2] The Globus Project. OGSA Security Roadmap, July 2002. [3] R.S. Sandhu, and E.J. Coyne. Role-Based Access Control Models, IEEE Computer, Vol. 29, No.2, Feb. 1996. [4] Assertions And Protocol For The OASIS Security Assertions Markup Language (SAML). Committee Specification 01, 2002. [5) CORBA Common Secure Interoperability version 2. Object Management Group, 2000. [6) Bindings And Profiles For The OASIS Security Assertions Markup Language (SAML). Committee Specification 01, 2002.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback