Webservice security considerations and measures

WEBSERVICE SECURITY
CONSIDERATIONS AND MEASURES
Maarten Smeets
03-12-2017

@MaartenSmeetsNL
https://nl.linkedin.com/in/smeetsm
About Maarten
• Integration consultant at AMIS since 2014
• Several certifications
SOA, BPM, MCS, Java, SQL, PL/SQL, etc
• Enthusiastic blogger
http://javaoraclesoa.blogspot.com

WEBSERVICE SECURITY
INTRODUCTION TLS/SSL AND APPLICATION
LAYER
TLS IN SOA SUITE
TLS IN THE ORACLE CLOUD AUTHENTICATION
IDENTIFICATION
USING HTTP HEADERS
WS-SECURITY FINAL THOUGHTS

WEBSERVICE SECURITY
GDPR IN THE UK AND WITHDRAWAL FROM THE EU
• 21 June 2017
The Queen’s Speech has confirmed that the General Data Protection
Regulation will form part of UK law following the country’s withdrawal
from the European Union.

GDPR AT UKOUG
Time Session title Conference Presenter
Mo 12:35 GDPR for the Oracle DBA Tech17 Peter Finnigan
PeteFinnigan.com
Tu 9:00 Impact of EU GDPR on Big Data & Business
Intelligence
Apps17 Baljit Sarpal
Sarpal Consultancy
Tu 11:15 EU GDPR Mechanisms of Control with Process
Modelling & Data & Application Services Gov
Apps17 Milomir Vojvodic
Oracle
Tu 14:50 GDPR & IFRS Compliance JDE17 Howard Page
QSoftware

WEBSERVICE SECURITY
GENERAL DATA PROTECTION REGULATION (GDPR)
• "...implement measures to mitigate those risks, such as encryption."
(P51. (83))
• "...appropriate safeguards, which may include encryption" (P121 (4.e))
• "...including inter alia as appropriate: (a) the pseudonymization and
encryption of personal data." (P160 (1a))
• "...unintelligible to any person who is not authorized to access it, such as
encryption" (P163 (3a))

WEBSERVICE SECURITY
• Confidentiality
• Integrity
• Authentication / Identity • Authorization
• Access to specific resources
• Entitlements

WEBSERVICE SECURITY
Application layer
(HTTP, LDAP)
TLS/SSL layer
Transport layer
(TCP, UDP)
Netwerk layer
(IP)
Security only in the application layer
might cause plaintext passwords or
reusable tokens to be transmitted
and potentially intercepted

WEBSERVICE SECURITY
TLS/SSL VS APPLICATION LAYER SECURITY
• Performance
TLS/SSL is much faster than security on message contents
• Granularity
TLS/SSL is usually on host level
• Application security can be much more specific
• Genericity
• TLS/SSL can be used on HTTP, SMTP, T3
• Application layer security is specific for a platform / application

WEBSERVICE SECURITY
WHICH PRODUCTS
• Part of gateway products
• API Gateway
• API Platform Cloud Service
• Part of application server / integration products such as
• WebLogic Server / SOA Suite
• Java Cloud Service / SOA CS
• Part of ‘high’ PaaS and SaaS products such as
• Mobile Cloud Service
• Integration Cloud Service

REPUDIATION OF ORIGIN
Do you trust the source of the message
Authentication and identification

REPUDIATION OF EMISSION
Do you trust the contents of the message
Integrity and confidentiality

1 2
WEBSERVICE SECURITY
TLS/SSL layer Application layer

WEBSERVICE SECURITY
TLS/SSL LAYER
• Client and server perform a handshake
• During the handshake certificates are exchanged
• Certificates are stored in keystores and can be checked
• Client and server agree on further details of the connection (cipher
suite)

WEBSERVICE SECURITY
WHAT’S IN A CERTIFICATE
• A public key
• Information on the issuer
• A serial number, unique per issuer
• A period during which the
certificate is valid
• A hostname
or hostname wildcard
• References to certificate
revocation lists

WEBSERVICE SECURITY
KEYSTORE TYPES IN WEBLOGIC SERVER
• JKS: Java KeyStore
Filesystem storage
• Edit using
• CLI: keytool
• GUI (3rd party):
• KeyExplorer
• Portecle
• KSS: OPSS KeyStoreService
Database storage
• Edit using
• WLST
• REST API
• FMW Control
• Introduced in WLS 10.3.6
(SOA Suite 11.1.1.7) Default in 12c
https://technology.amis.nl/2017/09/24/oracle-soa-suite-and-weblogic-overview-of-key-and-keystore-configuration/
• Used for TLS/SSL and application layer security (OWSM)

WEBSERVICE SECURITY
TLS: USING CIPHER SUITES
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Key exchange Signature
Bulk encryption
algorithm
Message authentication
algorithm
Repudiation of origin
Integrity
Repudiation of emission
ConfidentialityAuthentication Identification

TRANSPORT LAYER SECURITY
ONE WAY
• The client does not send a certificate the server can check
• The server sends a certificate the client can check

TWO WAY
• The client sends a certificate the server can check
• The server sends a certificate the client can check

CONSIDERATIONS ONE OR TWO WAY SSL
• Do you require validation of the client?
Are client and server located in the same data center?
• Can you control the client?
Force the client to use a client certificate?
Manage client certificates next to server certificates
• Performance.
• Per TLS connection extra validations need to be performed.
• More network traffic is required since the client also sends a certificate

1 2
OUTBOUND 2-WAY SSL SOA SUITE
Composites Service Bus

COMPOSITES
• Configure the composite identity keystore
This is domain level configuration! Not customizable per service
• Configure keystore password and key password
Add CSF entries in the folder SOA
• Configure composite reference for 2-way SSL
<property name=”oracle.soa.two.way.ssl.enabled”>true</property>
• Trust the public certificates
Put the client certificate or CA in the server truststore and
the server certificate or CA in the client truststore.

SERVICE BUS
• PKICredentialMapper
Create a PKICredentialMapper in WebLogic Console
Define the keystore and keystore password
• ServiceKeyProvider
Create a ServiceKeyProvider in a project (or a shared location)
This uses the PKICredentialMapper. Contains a reference to the key and key password
http://www.redrock-it.nl/add-client-certificate-outgoing-osb-call/

1 2
TLS IN THE ORACLE CLOUD
IaaS and Compute based PaaS Non Compute based PaaS and SaaS

ORACLE CLOUD
IAAS AND COMPUTE BASED PAAS
• Services in which the customer can access the VM
Like Java Cloud Service, Database Cloud Service
• “bring your own host name” policy
• The customer is responsible for requesting a certificate and
implementing it
http://www.ateam-oracle.com/https-and-trust-in-oracle-public-cloud/

ORACLE CLOUD
NON COMPUTE BASED PAAS AND SAAS
• Services like ICS, SOACS, Mobile Cloud
Service, Document Cloud Service, Sales
Cloud, ERP Cloud
• Oracle offers a (wildcard) certificate
per cloud service per region
• Cipher suites are preconfigured and not
configurable

1 2
AUTHENTICATION / IDENTIFICATION
HTTP HEADERS
Basic authentication OAuth

WEBSERVICE SECURITY
HTTP HEADERS: BASIC AUTHENTICATION
Basic Authentication
HTTP header name :
Authorization
HTTP header contents:
Basic dXNlcjpwYXNzd29yZA==
Base64 encoded
user:password

WEBSERVICE SECURITY
SECURE TOKEN SERVICE

WEBSERVICE SECURITY
HTTP HEADERS: OAUTH 2.0: MOBILE CLOUD SERVICE

WEBSERVICE SECURITY
Use basic authentication to obtain a token
from the tokenservice
Token is valid for 8h

WEBSERVICE SECURITY
Use the token

1 2
AUTHENTICATION / IDENTIFICATION
WS-SECURITY
UsernamePassword token Digest token

AUTHENTICATION
WS-SECURITY USING A USERNAME/PASSWORD TOKEN
• WS-Security Username Authentication
oracle/wss_username_token_client_policy
oracle/wss_username_token_server_policy

AUTHENTICATION
WS-SECURITY USING A DIGEST TOKEN
• WS-Security provides authentication based on a digest token
• A digest token consists of a cryptographic hash of
• A username / password
• A nonce: a number or string which can be used only once
• A timestamp

AUTHENTICATION
WS-SECURITY USING A DIGEST TOKEN IN WLS/OWSM
• WebLogic Server + OWSM
• Only when authenticating using WLS internal LDAP
Password decryption should be possible
• Can only authenticate users created after the digest configuration has been applied
• Nonce
A nonce can be cached in Coherence
Mind the Coherence configuration!
https://thecattlecrew.net/2017/03/22/ws-security-with-username-token-profile-on-oracle-weblogic-server/

CONFIDENTIALITY AND INTEGRITY
ON THE APPLICATION LAYER USING WS-SECURITY
• Confidentiality: XML Encryption
• Message encryption
• Integrity: XML Signature
• Messages have not been changed since signing
• The sending party uses his private key for signing. The receiving party
can check this with the senders public key

CONFIDENTIALITY AND INTEGRITY
ORACLE WEBSERVICE MANAGER: POLICIES
• oracle/wss10_message_protection_client_policy
oracle/wss11_message_protection_client_policy
oracle/wss10_message_protection_server_policy
oracle/wss11_message_protection_server_policy
KSS keystore: Key alias
JKS keystore: CSF entry in oracle.wsm.security

CONFIDENTIALITY
• oracle/pii_security_policy
Encryption of Personally Identifiable Information (PII)
• Only within a composite
• You want to use the value? First decrypt it (using Java embedding)
Personally Identifiable Information

CONFIDENTIALITY
PERSONALLY IDENTIFIABLE INFORMATION

1 2
Considerations Food for thought

CONSIDERATIONS
Performance
Complexity
Coverage
DTAP
Capabilities of software
Futureproof
Sensitivity of data
License fee
Testability
Flexibility
Manageability

PERFORMANCE
• WS SecureConversation
With multiple messages, the number of authentications
performed is reduced
• System entropy (especially on VM’s)
http://oraclemiddlewareblog.com/2012/10/17/how-to-improve-
weblogic-servers-startup-time
http://bugs.java.com/view_bug.do?bug_id=6521844
• Preemptive basic authentication
http://georgie-soablog.blogspot.nl/2013/09/bpel-calling-web-
services-with-http.html
https://en.wikipedia.org/wiki/WS-Security

FOOD FOR THOUGHT
GDPR
• Do you know what Personally Identifiable Information (PII) exactly is?
• Do you know where your PII data is located, cached, stored (backups?),
aggregated, analyzed, …?
• Do you know who can access this data? And for what reason? Do you keep
record of people accessing data?
• Do you know who has the responsibility to provide agreements and
assessments for (storing, processing, transmitting) this data?
• Can you remove PII data in all systems on request?
• Can you provide a client with all the PII data you have on them?

REPUDIATION OF EMISSION
• Send a hash value with the message
• The same message produces the same value with the same hash function
• Only sender and receiver know the hash function
Message
Hash
function
Hash value

VERSIONS
TLS versie Uitgekomen Belangrijkste kwetsbaarheden
SSL 1 No Never released due to too many issues
SSL 2 1995 DROWN
SSL 3 1996 POODLE
TLS 1.0 1999 BEAST
TLS 1.1 2006 CBC, Sweet32
TLS 1.2 2008 Logjam, FREAK, Heartbleed (OpenSSL)
TLS 1.3 TBD
Netscape
IETF

JAVA
• TLS 1.2 is supported from
• Oracle JDK 6u121
• JRockit R28.3.11
• The best cipher suites require
Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files
• JCE can be installed on JRockit and Oracle JDK
See Oracle support Doc ID 2262067.1
• In new versions of Java installation of JCE is no longer required (default)
6u191, 7u181, 8u171, 9

ORACLE CLOUD
CIPHER SUITES
• TLS 1.0 is supported
Possibly vulnerable for POODLE and BEAST
• TLS 1.2 GCM cipher suites are not
supported. These offer integrity checking.
• Several SHA cipher suites (next to SHA256).
These are vulnerable against collision attacks
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
Is a weak cipher suite

COMPOSITES
CONFIGURE THE COMPOSITE IDENTITY KEYSTORE
• Integratie loket | 3 oktober 2017

COMPOSITES
CONFIGURE THE KEYSTORE PASSWORD AND KEY PASSWORD

COMPOSITES
CONFIGURE THE REFERENCE
• Use an HTTPS endpoint
Add a property to the binding for 2-way SSL

SERVICE BUS
PKICREDENTIALMAPPER

SERVICE BUS
SERVICEKEYPROVIDER

WEBSERVICE SECURITY
SYMMETRIC CRYPTOGRAPHY
Lorem
ipsum dolor
sit amet,
consectetur
adipiscing
elit. Integer
nec odio
Lorem
ipsum dolor
sit amet,
consectetur
adipiscing
elit. Integer
nec odio
Original data
画開リむな
稿料ざぎぱ
る尚継たい
ぼ東作ハレ
宇眠ほ態泰
ヒ主三ネハ
ノヌ済昇ソ
Encrypted data Original data
Encryption Decryption

WEBSERVICE SECURITY
SYMMETRIC CRYPTOGRAPHY
• Challenge
How to get the same key at the
client and server without allowing
someone to intercept the key

AUTHORIZATION
• oracle/binding_authorization_template
• Role based access to a binding
• oracle/component_authorization_template
• Role based access to a component
• oracle/component_permission_authorization_template
• Authenticated subject can access the component / webservice operation

WEBSERVICE SECURITY
WEBLOGIC SERVER: ORACLE WEBSERVICE MANAGER
• Centrally define and store declarative policies applied to the
multiple Web services.
• Locally enforce policies through configurable agents.
• Monitor run time security events such as failed authentication or
authorization.
https://docs.oracle.com/middleware/1221/owsm/security/owsm-predefined-policies.htm

WEBSERVICE SECURITY
WEBLOGIC SERVER: KEYSTORE CONFIGURATION

WEBSERVICE SECURITY
WEBLOGIC SERVER: CREDENTIAL STORE FRAMEWORK

Webservice security considerations and measures

More Related Content

What's hot (20)

Similar to Webservice security considerations and measures (20)

More from Maarten Smeets (15)

Recently uploaded (20)

Webservice security considerations and measures

Editor's Notes