Transport-level security applies security checks as part of establishing a connection between service consumers, proxy services, and business services. The type of security checks that AquaLogic Service Bus can apply depends on the protocol that the proxy service or business service uses to communicate. Some protocols can also encrypt the communication between client and endpoint to prevent snooping from third parties.
Inbound transport-level secures the communication between clients and AquaLogic Service Bus proxy services. Outbound transport security secures all three techniques of sending outbound requests from AquaLogic Service Bus proxy services: route actions, publish actions, and callout actions.
The following sections describe configuring transport-level security:
Note: | Transport-level security secures only the connection itself. Even if you use the HTTPS or JMS protocols to encrypt the communication, if there is an intermediary between a Web services client and an AquaLogic Service Bus proxy service, such as a router, message queue or another proxy service, the intermediary gets the SOAP message in plain text. When the intermediary sends the message to the second receiver, the second receiver does not know who the original sender was. To prevent unintended intermediaries from viewing or modifying SOAP or JMS messages, configure message-level security in addition to transport-level security. See Configuring Message-Level Security for Web Services. |
The HTTPS protocol uses SSL to secure communication. SSL can be used to encrypt communication, ensure message integrity, and to require strong server and client authentication. Before you can use HTTPS, you must configure SSL in WebLogic Server, see Configuring the WebLogic Security Framework: Main Steps.
The following sections describe configuring transport-level security for the HTTPS protocol:
For each proxy service or business service that communicates over the HTTPS protocol, you can configure the service to require one of the following levels of authentication:
This level enables encrypted communication but does not require clients to provide credentials. To establish a one-way SSL connection, the client initiates the connection and AquaLogic Service Bus sends its certificate to the client. In other words, the client authenticates AquaLogic Service Bus.
This level enables encrypted communication and requires clients to supply a user name and password after the one-way SSL connection is established. The client supplies a user name and password by encoding it in the HTTP request header (which is encrypted by SSL). When the proxy service receives the encrypted request, it passes the credentials to the domain's authentication provider, which determines whether client's credentials match a user account that you have created.
This level enables encrypted communication and strong client authentication (two-way SSL).
To establish a two-way SSL connection, the client initiates the connection and AquaLogic Service Bus sends its X.509 certificate to the client. Then, the client sends its certificate to AquaLogic Service Bus and AquaLogic Service Bus authenticates the client.
To get the user name and password from the client request, you configure an identity assertion provider, which extracts a field in the certificate to use as the client identity (X.509 token), typically the CN (common name) or E (email) of the SubjectDistinguishedName
in the certificate. After extracting the X.509 token, the token is compared to the user accounts in the Security Configuration module of the AquaLogic Service Bus Console.
For more information about SSL and identity assertion providers, see Security Fundamentals in Understanding WebLogic Security.
To configure inbound transport-level security for a proxy service:
See Configuring the WebLogic Security Framework: Main Steps.
If you do not want AquaLogic Service Bus to authenticate clients, select an authentication level of one-way SSL, no authentication. For information about configuring a service producer (an external system to which a business service sends requests) to authenticate clients instead of AquaLogic Service Bus, see step 2 in Configuring Outbound HTTPS Security: Main Steps.
In outbound transport-level security, a proxy service is the client that opens a connection with a business service.
To configure outbound transport-level security:
If you configured the proxy service so that AquaLogic Service Bus does not authenticate clients, configure the enterprise system to authenticate clients by selecting an authentication level of one-way SSL, BASIC authentication.
You can add a user name and password directly to the service account, or configure the service account to pass through the credentials that it received from its client's request, or you can map a client user name to an AquaLogic Service Bus user. If you configured the proxy service so that AquaLogic Service Bus does not authenticate clients, create a service account that passes through the credentials. See Service Accounts in Using the AquaLogic Service Bus Console.
When the proxy service establishes a connection with the business service, it uses the business service's service account to provide a user name and password for BASIC authentication. (See Example: Authentication with a User Name Token.)
Proxy services will always use this key-pair to authenticate with the business service regardless of the key-pair that was used in inbound communication.
The HTTP protocol does not encrypt communication between clients and proxy services or business services, but it does support BASIC authentication in which clients send user names and passwords in requests.
Caution: | Unless you have configured strong network security, BEA recommends that you do not use BASIC authentication with HTTP in production environments because the password is sent in clear text. Instead, use BASIC authentication with HTTPS. |
The following sections describe configuring transport-level security for the HTTP protocol:
To configure inbound transport-level security for a proxy service:
See "Adding a Proxy Service" under Proxy Services in Using the AquaLogic Service Bus Console.
In outbound transport-level security, a proxy service is the client that opens a connection with a business service.
To configure outbound transport-level security:
See "Adding a Business Service" under Business Services in Using the AquaLogic Service Bus Console.
You can add a user name and password directly to the service account, or configure the service account to pass through the credentials that it received from its client's request, or you can map a client user name to an AquaLogic Service Bus user. If you configured the proxy service so that AquaLogic Service Bus does not authenticate clients, create a service account that passes through the credentials. See Service Accounts in Using the AquaLogic Service Bus Console.
While transport-level security for JMS does not provide end-to-end security for JMS messaging, it does provide the following:
AquaLogic Service Bus can communicate with local JMS servers or foreign JMS servers. The connection to JMS servers can be secured using the T3S protocol (T3 over SSL). T3 and T3S are proprietary BEA protocols.
Note: | JMS administrators use the WebLogic Server Administration Console to create access control policies that restrict access to WebLogic JMS servers and destinations in the JNDI tree. For more information, see Configuring JMS System Resources in Configuring and Managing WebLogic JMS and Securing WebLogic Resources. |
Note: | If a JMS administrator configures or changes an access control policy for a JMS destination, WebLogic Server can take up to 60 seconds to recognize the changes. |
Note: | By default, WebLogic Server JMS checks the policy for each JMS destination every 60 seconds. To change this behavior, modify the WebLogic Server startup command so that it sets the following system property to the frequency (in seconds) that you want WebLogic Server JMS to check access control policies:weblogic.jms.securityCheckInterval A value of 0 (zero) for this property ensures that an authorization check is performed for every send , receive , and getEnumeration action on a JMS resource. |
The following sections describe configuring JMS transport-level security:
To configure inbound JMS transport-level security:
AquaLogic Service Bus configures the JMS proxy service to use the T3S protocol.
You must add a user name and password directly in the service account. JMS cannot use a service account that passes through the credentials that it received from its client's request or that maps a client user name to an AquaLogic Service Bus user. See Service Accounts in Using the AquaLogic Service Bus Console.
To configure inbound JMS transport-level security:
AquaLogic Service Bus configures the JMS proxy service to use the T3S protocol.
You must add a user name and password directly in the service account. JMS cannot use a service account that passes through the credentials that it received from its client's request or that maps a client user name to an AquaLogic Service Bus user. See Service Accounts in Using the AquaLogic Service Bus Console.
You can use the same service account for both the JMS server and the JNDI tree if both objects require the same credentials.
The following sections describe the security measures that are available for communication over the email, FTP, and file protocols:
Email and FTP are not secure protocols. They support weak authentication, typically over insecure channels. The supported security method for email or FTP transport is the username and password needed to connect to the email or FTP server.
To secure email, you must designate a service account as an alias for the username and password in the AquaLogic Service Bus Console. The service will use the username and password to authenticate to the SMTP server.
To secure FTP, in the AquaLogic Service Bus Console, select external_user
and designate a service account as an alias for the username and password. The service will use the username and password to authenticate to the FTP server.
For information about how to add security to email and FTP transport, see "Adding a Business Service" in Business Services in the Using the AquaLogic Service Bus Console.
The supported security method for file transport is the user login to the computer on which the files are located.
If you configure a proxy service to authenticate clients, then you can access the client's identity and the security groups to which the client belongs from the proxy service's pipeline. The identity and group information is located in the message context at $inbound/ctx:security/ctx:transportClient/ctx:username
and$inbound/ctx:security/ctx:transportClient/ctx:principals/ctx:group
(the message context contains one ctx:group
element for each group the user belongs to)
If a proxy service does not authenticate clients, then the value of $inbound/ctx:security/ctx:transportClient/ctx:username
is <anonymous>
and there will not be any ctx:group
elements.
For more information, see "Inbound and Outbound Variables" in Message Context and "Message Flow" in Proxy Services in the Using the AquaLogic Service Bus Console.