|
|
Transport-level security applies security checks as part of establishing a connection between service consumers, proxy services, and business services. The type of security checks that AquaLogic Service Bus can apply depends on the protocol that the proxy service or business service uses to communicate. Some protocols can also encrypt the communication between client and endpoint to prevent snooping from third parties.
Inbound transport-level secures the communication between clients and AquaLogic Service Bus proxy services. Outbound transport security secures all three techniques of sending outbound requests from AquaLogic Service Bus proxy services: route actions, publish actions, and callout actions.
The following sections describe configuring transport-level security:
| Note: | Transport-level security secures only the connection itself. Even if you use the HTTPS or JMS protocols to encrypt the communication, if there is an intermediary between a Web services client and an AquaLogic Service Bus proxy service, such as a router, message queue or another proxy service, the intermediary gets the SOAP message in plain text. When the intermediary sends the message to the second receiver, the second receiver does not know who the original sender was. To prevent unintended intermediaries from viewing or modifying SOAP or JMS messages, configure message-level security in addition to transport-level security. See Configuring Message-Level Security for Web Services. |
The HTTPS protocol uses SSL to secure communication. SSL can be used to encrypt communication, ensure message integrity, and to require strong server and client authentication. Before you can use HTTPS, you must configure SSL in WebLogic Server, see Configuring the WebLogic Security Framework: Main Steps.
The following sections describe configuring transport-level security for the HTTPS protocol:
For each proxy service or business service that communicates over the HTTPS protocol, you can configure the service to require one of the following levels of authentication:
This level enables encrypted communication but does not require clients to provide credentials. To establish a one-way SSL connection, the client initiates the connection and AquaLogic Service Bus sends its certificate to the client. In other words, the client authenticates AquaLogic Service Bus.
This level enables encrypted communication and requires clients to supply a user name and password after the one-way SSL connection is established. The client supplies a user name and password by encoding it in the HTTP request header (which is encrypted by SSL). When the proxy service receives the encrypted request, it passes the credentials to the domain’s authentication provider, which determines whether client’s credentials match a user account that you have created.
This level enables encrypted communication and strong client authentication (two-way SSL).
To establish a two-way SSL connection, the client initiates the connection and AquaLogic Service Bus sends its X.509 certificate to the client. Then, the client sends its certificate to AquaLogic Service Bus and AquaLogic Service Bus authenticates the client.
To get the user name from the client’s certificate, you configure an identity assertion provider, which extracts a field in the certificate to use as the client identity (X.509 token), typically the CN (common name) or E (email) of the SubjectDistinguishedName in the certificate. After extracting the X.509 token, the token is compared to the user accounts in the Security Configuration module of the AquaLogic Service Bus Console.
For more information about SSL and identity assertion providers, see Security Fundamentals in Understanding WebLogic Security.
You can authenticate client requests at the transport-level via custom authentication tokens. Transport-level custom credentials are supported only on inbound requests. You specify a custom token in an HTTP header. The HTTPS-specific configuration pages of the service definition wizard allows you to configure client authentication. Custom authentication concepts are described in Configuring Custom Authentication.
To configure inbound transport-level security for a proxy service:
| Note: | You must first configure, or create and configure, a WebLogic Server Identity Assertion provider as described in Configuring Identity Assertion Providers for Custom Tokens, and add the user names and passwords of the clients that you want to allow access to the Security Configuration module of the AquaLogic Service Bus Console. |
See Configuring the WebLogic Security Framework: Main Steps.
In outbound transport-level security, a proxy service is the client that opens a connection with a business service.
To configure outbound transport-level security:
If you configured the proxy service so that AquaLogic Service Bus does not authenticate clients, configure the enterprise system to authenticate clients by selecting an authentication level of one-way SSL, BASIC authentication.
You can add a user name and password directly to the service account, or configure the service account to pass through the credentials that it received from its client’s request, or you can map a client user name to an AquaLogic Service Bus user. If you configured the proxy service so that AquaLogic Service Bus does not authenticate clients, create a service account that passes through the credentials. See Service Accounts in Using the AquaLogic Service Bus Console.
The HTTP protocol does not encrypt communication between clients and proxy services or business services, but it does support BASIC authentication in which clients send user names and passwords in requests. HTTP also supports custom token authentication.
| Caution: | Unless you have configured strong network security, BEA recommends that you do not use BASIC authentication with HTTP in production environments because the password is sent in clear text. Instead, use BASIC authentication with HTTPS. |
The following sections describe configuring transport-level security for the HTTP protocol:
To configure inbound transport-level security for a proxy service:
The steps for configuring transport-level custom credentials are described in “Adding a Proxy Service” under Proxy Services in Using the AquaLogic Service Bus Console. Custom authentication concepts are described in Configuring Custom Authentication.
The custom authentication token can be any active token type, previously configured for an Identity Assertion provider, that is carried in an HTTP header.
| Note: | To use custom authentication you must first configure, or create and configure, a WebLogic Server Identity Assertion provider as described in Configuring Identity Assertion Providers for Custom Tokens. |
| Note: | If you want AquaLogic Service Bus to authenticate clients (Basic or Custom Authentication) you must create user accounts for the clients. See Configuring Administrative Security: Main Steps. |
In outbound transport-level security, a proxy service is the client that opens a connection with a business service.
To configure outbound transport-level security:
See “Adding a Business Service” under Business Services in Using the AquaLogic Service Bus Console.
You can add a user name and password directly to the service account, or configure the service account to pass through the credentials that it received from its client’s request, or you can map a client user name to an AquaLogic Service Bus user. If you configured the proxy service so that AquaLogic Service Bus does not authenticate clients, create a service account that passes through the credentials. See Service Accounts in Using the AquaLogic Service Bus Console.
The HTTP and HTTPS transport providers pass an AquaLogic Service Bus implementation of the WebLogic Server ContextHandler during transport-level custom token identity assertion. There is no user configuration required for this feature.
This ContextHandler has four properties, as shown in Table 4-1.
While transport-level security for JMS does not provide end-to-end security for JMS messaging, it does provide the following:
AquaLogic Service Bus can communicate with local JMS servers or foreign JMS servers. The connection to JMS servers can be secured using the T3S protocol (T3 over SSL). T3 and T3S are proprietary BEA protocols.
| Note: | JMS administrators use the WebLogic Server Administration Console to create access control policies that restrict access to WebLogic JMS servers and destinations in the JNDI tree. For more information, see Configuring JMS System Resources in Configuring and Managing WebLogic JMS and Securing WebLogic Resources. |
| Note: | If a JMS administrator configures or changes an access control policy for a JMS destination, WebLogic Server can take up to 60 seconds to recognize the changes. |
| Note: | By default, WebLogic Server JMS checks the policy for each JMS destination every 60 seconds. To change this behavior, modify the WebLogic Server startup command so that it sets the following system property to the frequency (in seconds) that you want WebLogic Server JMS to check access control policies:weblogic.jms.securityCheckInterval A value of 0 (zero) for this property ensures that an authorization check is performed for every send, receive, and getEnumeration action on a JMS resource. |
The following sections describe configuring JMS transport-level security:
To configure inbound JMS transport-level security:
AquaLogic Service Bus configures the JMS proxy service to use the T3S protocol.
You must add a user name and password directly in the service account. JMS cannot use a service account that passes through the credentials that it received from its client’s request or that maps a client user name to an AquaLogic Service Bus user. See Service Accounts in Using the AquaLogic Service Bus Console.
To configure inbound JMS transport-level security:
AquaLogic Service Bus configures the JMS proxy service to use the T3S protocol.
You must add a user name and password directly in the service account. JMS cannot use a service account that passes through the credentials that it received from its client’s request or that maps a client user name to an AquaLogic Service Bus user. See Service Accounts in Using the AquaLogic Service Bus Console.
You can use the same service account for both the JMS server and the JNDI tree if both objects require the same credentials.
The following sections describe the security measures that are available for communication over the email, FTP, and file protocols:
Email and FTP are not secure protocols. They support weak authentication, typically over insecure channels. The supported security method for email or FTP transport is the username and password needed to connect to the email or FTP server.
To secure email, you must designate a service account as an alias for the username and password in the AquaLogic Service Bus Console. The service will use the username and password to authenticate to the SMTP server.
To secure FTP, in the AquaLogic Service Bus Console, select external_user and designate a service account as an alias for the username and password. The service will use the username and password to authenticate to the FTP server.
For information about how to add security to email and FTP transport, see “Adding a Business Service” in Business Services in the Using the AquaLogic Service Bus Console.
The supported security method for file transport is the user login to the computer on which the files are located.
If you configure a proxy service to authenticate clients, then you can access the client’s identity and the security groups to which the client belongs from the proxy service’s pipeline. The identity and group information is located in the message context at $inbound/ctx:security/ctx:transportClient/ctx:username
and$inbound/ctx:security/ctx:transportClient/ctx:principals/ctx:group
(the message context contains one ctx:group element for each group the user belongs to)
If a proxy service does not authenticate clients, then the value of $inbound/ctx:security/ctx:transportClient/ctx:username is <anonymous> and there will not be any ctx:group elements.
For more information, see “Inbound and Outbound Variables” in Message Context in the AquaLogic Service Bus User Guide and “Message Flow” in Proxy Services in the Using the AquaLogic Service Bus Console.
|