Understanding AquaLogic Service Bus Security

AquaLogic Service Bus supports open industry standards for ensuring the integrity and privacy of communications and to ensure that only authorized users can access resources in an AquaLogic Service Bus domain. It uses the underlying WebLogic security framework as building blocks for its security services. The WebLogic security framework divides the work of securing a domain into several components (providers), such as authentication, authorization, credential mapping, and auditing. You configure only those providers that you need for a given AquaLogic Service Bus domain.

The following sections introduce the AquaLogic Service Bus security model and its features:

Inbound Security

Inbound security ensures that AquaLogic Service Bus proxy services handle only the requests that come from authorized clients. (By default, any anonymous or authenticated user can connect to a proxy service.) It can also ensure that no unauthorized user has viewed or modified the data as it was sent from the client.

Proxy services can have two types of clients: service consumers and other proxy services. Figure 2-1 illustrates that communication between proxy services and their clients is secured by inbound security, while communication between proxy services and business services is secured by outbound security.

You set up inbound security when you create proxy services and you can modify it as your needs change. For outward-facing proxy services (which receive requests from service consumers), consider setting up strict security requirements such as two-way SSL over HTTPS. For proxy services that are guaranteed to receive requests only from other AquaLogic Service Bus proxy services, you can use less secure protocols.

If a proxy service uses public key infrastructure (PKI) technology for digital signatures, encryption, or SSL authentication, create a proxy service provider to provide private keys paired with certificates. For more information, see Proxy Service Providers in Using the AquaLogic Service Bus Console.

For each proxy service, you can configure the following inbound security checks:

Transport-level security applies security checks as part of establishing a connection between a client and a proxy service. The security requirements that you can impose through transport-level security depend on the protocol that you configure the proxy service to use.

For example, for proxy services that communicate over the HTTPS protocol, you can require that all clients authenticate against a database of users that you create in the Security Configuration module of the AquaLogic Service Bus Console. You then create an access control policy that specifies conditions under which authenticated users are authorized to access the proxy service.

For information about configuring transport-level security for each supported protocol, see Configuring Transport-Level Security.

Message-level security (for proxy services that are Web Services) is part of the WS-Security specification. It applies security checks before processing a SOAP message or specific parts of a SOAP message.

Part of the configuration for message-level security is embedded in the WSDL document and WS-Policy document that are associated with the Web service. These documents specify whether SOAP messages must be digitally signed and encrypted and which Web service operations can be invoked only by authorized users.

If a proxy service or business service uses a WS-Policy statement to secure access to one or more of its operations, and if you have configured the service as an active intermediary (as opposed to a pass-through service), you use the AquaLogic Service Bus Console to create a message-level access control policy. The policy specifies conditions under which users, groups, or security roles are authorized to invoke the protected operations.

For more information about configuring message-level security, see Configuring Message-Level Security for Web Services.

Outbound Security

Outbound security secures communication between a proxy service and a business service. Most of the tasks that you complete for outbound security are for configuring proxy services to comply with the transport-level or message-level security requirements that business services specify.

For example, if a business service requires user name and password tokens, you create a service account, which either directly contains the user name and password, passes along the user name and password that was contained in the inbound request, or provides a user name and password that depend on the user name that was contained in the inbound request. For more information, see Service Accounts in Using the AquaLogic Service Bus Console.

If a business service requires the use of PKI technology for digital signatures, or SSL authentication, you create a proxy service provider, which provides private keys paired with certificates. For more information, see Proxy Service Providers in Using the AquaLogic Service Bus Console.

Options for Identity Propagation

A key group of decisions that you must make when designing security for AquaLogic Service Bus is how to handle (propagate) the identities that clients provide. You can configure AquaLogic Service Bus to do any of the following:

Table 2-1 describes the decisions that affect how AquaLogic Service Bus propagates client identities to business services.

Table 2-1 Options for Identity Propagation
Decision	Description
Which type of credentials do you require clients to provide?	For transport-level security, AquaLogic Service Bus adapts to your existing security requirements. Clients of AquaLogic Service Bus can supply user name and password tokens, SSL certificates, or any other type of token that is supported by an authentication provider that you configure. For message-level security, AquaLogic Service Bus supports the Username Token, X.509 Token, and SAML Token profiles (see Supported Standards and Security Providers). If you are establishing security requirements for a new business service that uses Web Services Security, BEA recommends that you require clients to provide SAML tokens. SAML is the emerging standard for propagating user identities within Web services. See Using SAML for Authentication.
Do you require AquaLogic Service Bus to authenticate clients or to simply pass the client-supplied credentials to business services for authentication?	When you require clients to authenticate with AquaLogic Service Bus, you add an additional layer of security. In general, the more security layers you add, the more secure you make a domain. To enable AquaLogic Service Bus to authenticate users, you must create user accounts in the AquaLogic Service Bus Console. If your set of users is very large, you must consider whether maintaining a large database of user accounts in the AquaLogic Service Bus Console is worth the effort.
If AquaLogic Service Bus authenticates clients that provide X.509 tokens or SAML tokens, which AquaLogic Service Bus user maps to the tokens?	BEA recommends that you require clients to authenticate with AquaLogic Service Bus and that you modify the default access-control policies to allow (authorize) only specific, authenticated users access to your proxy services. To authenticate and authorize clients who supply X.509 certificates, SAML tokens, or other types of credentials other than user names and passwords, you must configure an identity assertion provider that maps the client's credential to an AquaLogic Service Bus user. AquaLogic Service Bus will use this user name to establish a security context for the client.
If AquaLogic Service Bus authenticates clients that provide user name and password tokens, decide whether you want to: Pass the client's user name and password to the business service Map the client's user name to a new user name and password and pass the new credentials to the business service	If you pass the client-supplied user name and password to the business service, then clients are responsible for maintaining the credentials that the business service requires. If the business service changes its security requirements, then you must notify each client to make corresponding changes. If you expect a business service to change its requirements frequently, then consider mapping the credentials that clients supply to the credentials that the business service requires. The more clients for a business service, the more work will be required to maintain this credential mapping.

Table 2-2 describes all combinations of the requirements that you can impose for inbound and outbound transport-level security.

Table 2-2 Combinations of Transport-Level Security Requirements
This Inbound Requirement...	Can Be Used With This Outbound Requirement...	How to Configure
Client supplies user name and password in the HTTP or HTTPS header and AquaLogic Service Bus authenticates the client.	Pass the client's credentials in an HTTP or HTTPS header.	Configure inbound HTTPS (or HTTP) security. See Configuring Inbound HTTPS Security: Main Steps. Be sure to add the client's user name to the AquaLogic Service Bus Security Configuration module. Configure outbound HTTPS (or HTTP) security. See Configuring Outbound HTTPS Security: Main Steps. Be sure to create a pass-through service account and attach the account to the business service.
	Map the client's credentials to a different AquaLogic Service Bus user and pass the new credentials in an HTTP or HTTPS header.	Configure inbound HTTPS (or HTTP) security. See Configuring Inbound HTTPS Security: Main Steps. Be sure to add the client's user name to the AquaLogic Service Bus Security Configuration module. Configure outbound HTTPS (or HTTP) security. See Configuring Outbound HTTPS Security: Main Steps. Be sure to create a user-mapping service account and attach the account to the business service.
Client supplies user name and password in the HTTP or HTTPS header and AquaLogic Service Bus does not authenticate the client.	Pass the client's credentials in an HTTP or HTTPS header.	Configure inbound HTTPS (or HTTP) security. See Configuring Inbound HTTPS Security: Main Steps. Be sure to configure the proxy service for HTTP, no authentication or HTTPS, one-way SSL, no authentication. Configure outbound HTTPS (or HTTP) security. See Configuring Outbound HTTPS Security: Main Steps. Be sure to configure the business service for HTTP BASIC authentication or HTTPS, one-way SSL, BASIC authentication. Also create a pass-through service account and attach the account to the business service.
	Pass the client's credentials to an EJB over RMI. The EJB container authenticates the user.	Create a pass-through service account and attach the account to the business service. See " Service Accounts" in Using the AquaLogic Service Bus Console.
Any form of local authentication (HTTP or HTTPS BASIC, HTTPS CLIENT CERT with credential mapping)	Pass the client's credentials to an EJB over RMI. The EJB container authenticates the user.	Create a pass-through service account and attach the account to the business service. See " Service Accounts" in Using the AquaLogic Service Bus Console.
	Map the client's credentials to a different AquaLogic Service Bus user and pass the new credentials to an EJB over RMI. The EJB container authenticates the user.	Create a user-mapping service account and attach the account to the business service. See " Service Accounts" in Using the AquaLogic Service Bus Console.

Table 2-3 describes all combinations of the requirements that you can impose for inbound and outbound message-level security. In some cases, the inbound requirement for transport-level security affects the requirements that you can impose for outbound message-level security.

Table 2-3 Combinations of Message-Level Security Requirements
This Inbound Requirement...	Can Be Used With This Outbound Requirement...	How to Configure
Client supplies user name and password in the HTTP or HTTPS header and AquaLogic Service Bus authenticates the client.	Pass the client's credentials in a SOAP header.	Configure inbound HTTPS (or HTTP) security. See Configuring Inbound HTTPS Security: Main Steps. Be sure to add the client's user name to the AquaLogic Service Bus Security Configuration module. Create a pass-through service account and attach the account to the business service. See " Service Accounts" in Using the AquaLogic Service Bus Console.
	Map the client's credentials to a different AquaLogic Service Bus user and pass the new credentials in a SOAP header.	Configure inbound HTTPS (or HTTP) security. See Configuring Inbound HTTPS Security: Main Steps. Be sure to add the client's user name to the AquaLogic Service Bus Security Configuration module. Create a user-mapping service account and attach the account to the business service. See " Service Accounts" in Using the AquaLogic Service Bus Console.
	Map the client credentials to a SAML token. AquaLogic Service Bus asserts the user identity.	Configure inbound HTTPS (or HTTP) security. See Configuring Inbound HTTPS Security: Main Steps. Be sure to add the client's user name to the AquaLogic Service Bus Security Configuration module. Configure a SAML credential mapping provider. See Configuring SAML Credential Mapping: Main Steps.
Client supplies user name and password in the HTTP or HTTPS header and AquaLogic Service Bus does not authenticate the client.	Pass the client's credentials in a SOAP header.	Configure inbound HTTPS (or HTTP) security. See Configuring Inbound HTTPS Security: Main Steps. Be sure to configure the proxy service for HTTP, no authentication or HTTPS, one-way SSL, no authentication. Configure outbound HTTPS (or HTTP) security. See Configuring Outbound HTTPS Security: Main Steps. Be sure to configure the business service for HTTP BASIC authentication or HTTPS, one-way SSL, BASIC authentication. Also create a pass-through service account and attach the account to the business service.
Client supplies a certificate as part of HTTPS CLIENT-CERT authentication (two-way SSL) and AquaLogic Service Bus authenticates the client.	Map the client credentials to a SAML token. AquaLogic Service Bus asserts the user identity.	Configure inbound HTTPS (or HTTP) security. See Configuring Inbound HTTPS Security: Main Steps. Configure a SAML credential mapping provider. See Configuring SAML Credential Mapping: Main Steps.
An active intermediary proxy service enforces Web-Services Security with the User Name Token Profile.	Encode the credentials as a user name and password token in the SOAP message.	Create an active intermediary proxy service with a WS-Policy statement that requires passwords (not password digests). See Creating an Active Intermediary Proxy Service: Main Steps.
	Encode the credentials as a SAML token in the SOAP message.	Create an active intermediary proxy service with a WS-Policy statement that requires passwords. See Creating an Active Intermediary Proxy Service: Main Steps. Configure a SAML credential mapping provider. See Configuring SAML Credential Mapping: Main Steps.
An active intermediary proxy service enforces Web-Services Security with the X.509 Token Profile.	Encode the credentials as a SAML token in the SOAP message.	Create an active intermediary proxy service with a WS-Policy statement that requires digital signatures and optionally requires authentication with an X.509 token. See Creating an Active Intermediary Proxy Service: Main Steps. Configure a SAML credential mapping provider. See Configuring SAML Credential Mapping: Main Steps.
An active intermediary proxy service enforces Web-Services Security with the SAML Token Profile.	Generate a new SAML token in the outbound SOAP message.	Create an active intermediary proxy service with a WS-Policy statement that requires a SAML token. See Authenticating SAML Tokens in Inbound Requests. Configure a SAML credential mapping provider. See Configuring SAML Credential Mapping: Main Steps.
A pass-through proxy service, which can pass user names and passwords, X.509 tokens, or SAML tokens.	A business service that uses either the User Name Token Profile, the X.509 Token Profile, or the SAML Token Profile.	Create a pass through proxy service. See Creating a Pass-Through Proxy Service: Main Steps. Create a business service that enforces one of the token profiles. See Configuring Outbound Message-Level Security: Main Steps or Configuring SAML Pass-Through Identity Propagation.

For inbound Tuxedo requests, you can configure any of the following security requirements:

Example: Authentication with a User Name Token

Figure 2-2 illustrates how user identities flow through AquaLogic Service Bus when you configure AquaLogic Service Bus as follows:

The illustration begins with the inbound request and ends with the outbound request:

A client sends a request to a proxy service. The request contains the user name and password credentials.

Clients can send other types of tokens for authentication, such as an X.509 certificate. If a client sends a certificate token, you must configure an identity assertion provider to map the identity in the token to an AquaLogic Service Bus security context.

The proxy service asks the domain's authentication provider if the user exists in the domain's authentication provider store.

If the user exists, the proxy service asks the domain's authorization provider to evaluate the access control policy that you have configured for the proxy service.

If the proxy service's access control policy allows the user access, the proxy service processes the message. As part of generating its outbound request to a business service, the proxy service asks the business service to supply the user name and password that the business service requires.

The business service asks its service account for the credentials. Depending on how the service account is configured, it does one of the following:

Requires the proxy service to encode a specific (static) user name and password.
Requires the proxy service to pass along the user name and password that the client supplied.
Maps the user name that was returned from the authentication provider to some other (remote) user name, then requires the proxy service to encode the remote user name.

The proxy service sends its outbound request with the user name and password that was returned from the service account.

Figure 2-2 How Service Accounts Are Used

How Service Accounts Are Used

Administrative Security

To secure access to administrative functions, such as creating proxy services or business services, AquaLogic Service Bus provides four security roles with pre-defined access privileges:

A security role is an identity that can be dynamically conferred upon a user or group at runtime. You cannot change the access privileges for these administrative security roles, but you can change the conditions under which a user or group is in one of the roles.

When assigning administrative users to roles, assign at least one user to the WebLogic Server Admin role, which has complete access to all WebLogic Server and AquaLogic Service Bus resources.

Configuring the WebLogic Security Framework: Main Steps

Many of the initial configuration tasks for AquaLogic Service Bus security require you to work in the WebLogic Server Administration Console to configure the WebLogic security framework. After these initial tasks, you can complete most security tasks from the AquaLogic Service Bus Console.

If you plan to use SSL as part of transport-level security, do the following:

In the WebLogic Server Administration Console, configure identity and trust. See Configuring Identity and Trust in Securing WebLogic Server.
In the WebLogic Server Administration Console, configure SSL. See Configuring SSL in Securing WebLogic Server.

In AquaLogic Service Bus, all HTTPS communication must use the default WebLogic Server (SSL) secure network channel. This is the only SSL network channel that AquaLogic Service Bus supports.

BEA recommends the following for your SSL configuration:

If you configure two-way SSL, you must choose between two modes: Client Certificate Requested But Not Enforced or Client Certificates Requested and Enforced. BEA recommends that whenever possible you choose Client Certificate Requested and Enforced. For more information, see "Secure Sockets Layer (SSL)" in Security Fundamentals in Understanding WebLogic Security.
In a production environment, make sure that Host Name Verification is enabled. See "Using Host Name Verification" in Configuring SSL in Securing WebLogic Server.

In the WebLogic Server Administration Console, configure authentication providers, which your proxy services use for inbound security.

Table 2-4 describes the authentication providers that are commonly configured for AquaLogic Service Bus. For a description of all authentication providers that you can configure, see Security Providers in Securing WebLogic Server.

Table 2-4 Authentication Providers
If You Require Clients to Provide...	Configure...
Simple user names and passwords	The WebLogic Authentication provider and use the AquaLogic Service Bus Console to enter the user names and passwords of the clients that you want to allow access. See "Adding a User" under Security Configuration in Using the AquaLogic Service Bus Console.
X.509 tokens for inbound HTTPS and two-way SSL authentication	All of the following: The WebLogic Identity Assertion provider, which can validate X.509 tokens but does not by default. Make sure that you enable this provider to support X.509 tokens. In addition, enable this provider to use a user name mapper. See "Identity Assertion and Tokens" under "Authentication" in Security Fundamentals in Understanding WebLogic Security. WebLogic CertPath Provider, which completes and validates certificate chains by using trusted Certificate Authority based checking.
X.509 tokens for inbound Web Services Security X.509 Token Authentication	If any of your proxy services or business services are Web services that use abstract WS-Policy statements, you must also configure the following: In the Web Service security configuration named `__SERVICE_BUS_INBOUND_WEB_SERVICE_SECURITY_MBEAN__` add the `UseX509ForIdentity` property and set it to `true`. See Use X.509 Certificates to Establish Identity in the WebLogic Server Administration Console Online Help.
SAML tokens	All of the following: WebLogic SAML Identity Assertion Provider V2, which authenticates users based on Security Assertion Markup Language 1.1 (SAML) assertions. WebLogic SAML Credential Mapping Provider V2, which maps AquaLogic Service Bus users to remote users.

If you plan to create proxy services or business services that require WS-Security digital signatures on inbound requests, enable the Certificate Registry provider, which is a Certification Path provider that validates inbound certificates against a list of certificates that you register.

See Configure Certification Path Providers in WebLogic Server Administration Console Online Help.

If you configure message-level security (in inbound requests or outbound requests) to require user name and password tokens, and if you want messages to provide a password digest instead of cleartext passwords, do the following:

In the WebLogic Server Administration Console, find the two Web Service security configurations that AquaLogic Service Bus provides and set the value of the UsePasswordDigest property to true.

The AquaLogic Service Bus Web Service security configurations are named:
__SERVICE_BUS_INBOUND_WEB_SERVICE_SECURITY_MBEAN__ and
__SERVICE_BUS_OUTBOUND_WEB_SERVICE_SECURITY_MBEAN__

For information on setting the values in Web Service security configurations, see Use a Password Digest in SOAP Messages in the WebLogic Server Administration Console Online Help.

For each authentication provider that you configured in step 2, in the WebLogic Server Administration Console, select the Password Digest Enabled check box.
For each identity assertion provider that you configured in step 2, in the WebLogic Server Administration Console set wsse:PasswordDigest as one of the active token types.

If you plan to create a proxy service provider (which passes key-certificate pairs in outbound requests), use the WebLogic Server Administration Console to configure a PKI credential mapping provider. In any WebLogic Server domain that hosts AquaLogic Service Bus, you can configure at most one PKI credential mapping provider.

A PKI credential mapping provider maps AquaLogic Service Bus proxy service providers to key-pairs that can be used for digital signatures and encryption (for Web Services Security) and for outbound SSL authentication. For more information, see "Configuring a PKI Credential Mapping Provider" in Configuring WebLogic Security Providers in Securing WebLogic Server.

You store the key-pairs and trusted Certification Authority (CA) certificates that the PKI credential mapping provider uses in a keystore. You can store the PKI credential mappings in the identity keystore that WebLogic Server uses (which is typically the same keystore that you use to store key-pairs for SSL communication) or in a separate keystore. Configure each WebLogic Server instance to have access to its own copy of each keystore. All entries referred to by the PKI credential mapper must exist in all keystores (same entry with the same alias). For information about configuring keystores in WebLogic Server, see "Identity and Trust" in Security Fundamentals in Understanding WebLogic Security.

Note:

When you create an AquaLogic Service Bus domain, by default the domain contains a user name/password credential mapping provider, which you can use if you need credential mapping for user names and passwords. In addition to this user name/password credential mapping provider, you can add one PKI credential mapping provider. An AquaLogic Service Bus domain can contain at most one user name/password credential mapping provider, one PKI credential mapping provider, and multiple SAML credential mapping providers.

If you want to enable security auditing, do the following:

In the WebLogic Server Administration Console, configure an auditing provider. See Configuring a WebLogic Auditing Provider in Securing WebLogic Server.
To enable auditing of events related to WS-Security, when you start each AquaLogic Service Bus server, include the following Java option in the server's startup command:

Note: -Dcom.bea.wli.sb.security.AuditWebServiceSecurityErrors=true

AquaLogic Service Bus supports the auditing of security events but it does not support configuration auditing, which emits log messages and generates audit events when a user changes the configuration of any resource within a domain or invokes management operations on any resource within a domain. See Configuration Auditing Securing WebLogic Server.

If you have not already done so, in the WebLogic Server Administration Console, activate your changes. If you have made changes that require you to restart WebLogic Server, the Administration Console will indicate that a restart is required. If you see such a message, restart all WebLogic Server instances that host AquaLogic Service Bus so your modifications to the security providers will be in effect for the remaining configuration steps.

Supported Standards and Security Providers

Table 2-5 Web Services Security and Related Standards
Standard	Version
WS-Security	1.0
WS-Policy	Because the WS-Policy specification has not been fully standardized, AquaLogic Service Bus supports a WebLogic Server-proprietary format that is based on the assertions described in the December 18, 2002 version of the Web Services Security Policy Language (WS-SecurityPolicy) specification. This release of AquaLogic Service Bus does not incorporate the latest update of the specification (13 July 2005).
WS-Policy Attachment	1.0
WS-Security: Username Token Profile	1.0
WS-Security: X.509 Token Profile	1.0
WS-Security: SAML Token Profile	1.0
SAML	1.1

For information about the standards that WebLogic Server supports, see "Standards Support" under What's New in WebLogic Server in WebLogic Server Release Notes.

Support for WebLogic Security Providers

AquaLogic Service Bus supports the security providers that are included with WebLogic Server, such as the WebLogic authentication providers, identity assertion providers, authorization providers, role-mapping providers, credential mapping providers, and Certificate Lookup and Validation (CLV) providers. Additionally, AquaLogic Service Bus 2.5 supports the WebLogic SAML Identity Assertion Provider V2 and WebLogic SAML Credential Mapping Provider V2.

As of release 2.5, AquaLogic Service Bus deprecates support for the WebLogic Default Authorization provider and Default Role Mapping provider, which use a proprietary policy language. Instead, BEA recommends that you use the WebLogic XACML Authorization provider and XACML Role Mapping provider, which use the OASIS standard eXtensible Access Control Markup Language (XACML). If you are upgrading from a previous release of AquaLogic Service Bus in which you used the WebLogic Default Authorization provider and Default Role Mapping provider, use the WebLogic Server Administration Console to import authorization and role-mapping data into the XACML providers. See Upgrading AquaLogic Service Bus Environments in AquaLogic Service Bus Upgrade Guide.

Third-party security providers, such as Netegrity, Oracle-Oblix, and RSA have not been tested and therefore have not been certified in AquaLogic Service Bus 2.5. However, the AquaLogic Service Bus security architecture supports the use of third-party authentication, authorization and role-mapping providers. Contact BEA customer support if you are interested in third-party security provider support in AquaLogic Service Bus 2.5.

For more information about the security providers, see "WebLogic Security Providers" in the WebLogic Security Service Architecture in Understanding WebLogic Security.

Security Guide