application security: websphere application … security: websphere application server (was) 4.0...
TRANSCRIPT
Application Security: WebSphere Application
Server (WAS) 4.0
Keys Botzum, Senior Consulting I/T Specialist IBM Software Services for e-business
[email protected]://www.transarc.ibm.com/~keys/
WAS 4.0, May 2001Application Security Basics 01-05-24 1
Definition of application securityBasic security conceptsSecurity technologiesJ2EE 1.2 SecurityWebSphere Application Server (WAS) specificsWAS Advanced Security TopicsExamples: using various tools and programming issues
This will give you a taste of all the issues. This is a survey of security not deep training in the technologies themselves. Security is a very hard problem.
Agenda
Application Security Basics 01-05-24 2
Network securityFirewallsIntrusion detectionVirus scanning
all important, but not covered deeply here
What is not Application Security?
Application Security Basics 01-05-24 3
Perspective of implementers creating applications to solve problemsApplications
use a variety of COTS products (web servers, databases, application servers, operating systems, etc.)involve anywhere from no programming (web pages on web site) to substantial programming
What is Application Security?
Application Security Basics 01-05-24 4
The Problem: Distributed Security
Some process (the client) initiates communication with some process (the server)How can client and server form a secure trusted communication path??
ServerClient
Application Security Basics 01-05-24 5
The Basic Steps
CA R2R1
ServerClient
-user registry-CRL
7 65
4
2 -CA cert- server private key- server cert
-CA cert- user private key- user cert
3
Application Security Basics 01-05-24 6
1. secure transport2. server identifies itself to the client3. client validates identification using trusted technique.4. client identifies itself to the server5. server validates identification using trusted technique.
The server may use a user registry for this purpose.6. server obtains authorization information for the user
from some registry. 7. server enforces access to its resources based on the
user's authorization information. Note:
SSL combines 1, 2, 3, possibly 4 & 5.Security policy tools combine 6 & 7.
Key Steps
Application Security Basics 01-05-24 7
There are several key concepts involved in application security:
AuthenticationAuthorizationTrustDelegationData Protection
ConfidentialityData Integrity
Security Concepts
Application Security Basics 01-05-24 8
Prove who you are (steps 2-4)Identification
exchange proof of identitybased on a secret
Validationverify identityassociates with Principal Authenticated
Identification
challenge user
Authentication Data(uid/pw,cert,token)
User Registry
AuthenticationData Credentials
CredentialsCredentialsAuthenticated
Authentication
Validation
Application Security Basics 01-05-24 9
Authorization
Control access to resources (steps 5 & 6)Security Lookup (by server)
determine security privileges for principalinformation stored in registry
Rule Enforcement (by server)obtain rules from registrygiven privileges & rules, determine access
ServerClient
userX, opY
userX??
Rules
opY???
UserRegistry
decide
Application Security Basics 01-05-24 10
Trust
Ultimately in any secure system, something must be trusted.
Kerberos - the KDC is trusted to verify passwords & issue credentialsPKI - the CA is trusted to issue valid certificatesPassword Authentication - user registry is trusted to verify passwordsWebSphere - the security server (part of the admin server process) is trusted to issue LTPA tokens
Application Security Basics 01-05-24 11
Trust - Concepts
Least Trustto limit risk, trust the fewest things possible and work hard to secure them.
Trust Domaina collection of servers, processes, machines, etc., that are part of same security infrastructure and trust same thing.DCE Cell, Kerberos Realm, WebSphere Domain, Sun NIS Domain, Windows Domain, etc.
Application Security Basics 01-05-24 12
Delegation
Server 1Client Server 2id X id ???
Server 1 acts on behalf of client. Options:1. Server 2 trusts Server 1 and Server 1 does all
security checks2. Server 2 trusts Server 1 to identify client and
Server 2 does authorization checks3. Securely delegate id X through Server 1 to
Server 2Application Security Basics 01-05-24
13
Delegation
Server 1Client Server 2id X id ???
Risks/Issues(Option 1) Server 1 must understand all access
controls needed by Server 2(Options 1 & 2) Server 2 trusts Server 1 to
identity client(Option 3) Strongest security, but how can we
delegate securely?
Application Security Basics 01-05-24 14
Delegation
Server 1Client Server 2id X id ???
Security Server
Server 1 validates user using Security ServerSecurity Server issues credentialServer 1 and Server 2 trust Security Server
issued credentials to identify principalsServer 1 & Server 2 are in same Trust Domain
Application Security Basics 01-05-24 15
Confidentialityencrypt data on the wire so it can not be seen. Implies Integrity since encrypted data can not be modified.
Data Integritygenerate secure checksums of data before sending so data can not be modified without detection
SSL (and thus WAS) supports both.
Data Protection
Application Security Basics 01-05-24 16
Public-key cryptographyCertificatesSSL & HTTPSPKILDAP
Security Technologies
Application Security Basics 01-05-24 17
Public-Key Cryptography
Two keys that are cryptographically relatedPublic-key
can share with everyonePrivate-key
must never be shared. Possession is proof.Asymmetric
given message encrypted with one key & posses other key, can decrypt messagesymmetric/secret key technology uses same key for encrypt and decrypt
Application Security Basics 01-05-24 18
Public-Key for AuthenticationExample
Create key pair: Public (K), Private (P)Client C wants to authenticate Server SC encrypts Message (M) using Public Key (K) creating K(M) and sends to SS decrypts K(M) using Private Key (P)S then demonstrates to C that message understoodIf C knows K goes with S, then C know S's identity Issue: where did K come from?
CA issues digitally signed certificates containing Kif trust CA, can trust that K is really for S
Application Security Basics 01-05-24 19
Certificates
A Certificate is a public key with additional identification information
Subject info - distinguished name, serial numIssuer/CA info - distinguished namearbitrary attributes(opinion) rely on Subject & CA info only
Digitally signed using CA private keyCA public key distributed in trusted way
use CA public key to verify certificatesmust be certain CA public key is CA's
Application Security Basics 01-05-24 20
CA
Certificate Usage (Client Identifies Server)
public privateprivatepublic
Cert publicCA Certpublic
Sign
Secure
Trusted
Client Server
MSGprivatepublic
Certpublic
Application Security Basics 01-05-24 21
Certificate Usage
For one peer to identify anotherauthenticator (the one doing the authentication) must posses CA certificateinitiator (the one being identified) must posses identity certificate signed by same CA and corresponding private key
Certificates & private keys distributed out-of-bandIdentity certificates presented to peer during authentication (since digitally signed)
Application Security Basics 01-05-24 22
SSL
Understand what SSL isUnderstand how SSL is used by HTTPSUnderstand how SSL is used by WAS
Application Security Basics 01-05-24 23
What is SSL?
SSL stands for Secure Sockets LayerSSL provide provides connection security through:
Communication privacy - the data on the connection can be encrypted.Communication integrity - the protocol includes a built-in integrity check. Authentication - the client can authenticate the server and vice versa through the exchange of digital certificates
Application Security Basics 01-05-24 24
SSL Authentication
Client ServerClient Requests SSL Connection
Server Presents Certificate, Requests Client Certificate
Client Verifies Server Certificate,Presents Client Certificate
Server Verifies Client Certificate
HTTP Request
HTTP Response
Application Security Basics 01-05-24 25
HTTPS
HTTPS is HTTP over an SSL layerA web server must be set up to support HTTPSRequires a server certificate for authenticationListens (by default) on for 443.If using client authentication, web server validates client's certificate
Application Security Basics 01-05-24 26
SSL and HTTPS in WAS
For browser clients, SSL client communication is handled by the Web Server
Establishes an HTTPS link, performs certificate exchangeNote: WAS still does username/password authentication, but not certificate authentication (relies on web server)
When security is enabled in WASIIOP between the admin server and between application servers is encrypted with SSLJava clients also use IIOP over SSLAdmin clients use IIOP over SSL
Application Security Basics 01-05-24 27
Public Key Infrastructure (PKI)
PKI - the whole infrastructure that makes public-key security work
Based on public/private key cryptographyCertificate Authority (CA)Registration Authority (RA)PKI enabled applicationsDirectory (optional)
Application Security Basics 01-05-24 28
PKI
Registration Authority
Certificate Authority
LDAP Directory
Application Server
request
approvedrequest
cert &CRL
cert
cert
cert
= off line/manual
Application Security Basics 01-05-24 29
Certificate Authority
RA usually verifies identity somehowemail address, etc.badge/human verificationtells CA is issue certificate
CApublishes certificates which are signed by itpublishes Certificate Revocation List
list of certificates no longer validNeither is involved in runtime authentication
Application Security Basics 01-05-24 30
LDAP
LDAP = Lightweight Directory Access Protocol"lightweight" subset of x.500 DAPpopular & widely support directory interfaceclient only specificationa way for client applications to query for information
A directory is like a database, butoptimized for read accesstends to store different kinds of informationsearch via LDAP query strings, rather than SQL
Application Security Basics 01-05-24 31
LDAP
An LDAP directory stores entries which are collections of attributesAttribute is a key (multi-)value pair.
Entry
attribute
attribute
attribute
attribute
type
value value
Application Security Basics 01-05-24 32
Globally unique name of an EntryComposed of Relative DNs (RDN) which are just key-value pairsExamples:
uid=keys,o=ibm.com,c=usuid=kdbotzu,ou=DoD,o=U.S. Government,c=uscn=Keys Botzum,o=fred
Distinguished Name
Application Security Basics 01-05-24 33
Entry Examples
uid=keys,o=fredcn=Keys BotzumtelephoneNumber=xxx-xxxxuserPass=secret
uid=jj23,ou=deptXX,o=companyYYcn=John Q CompanyuserPass=hidden
cn=managers,ou=groups,o=companyYYmember=uid=jj23,ou=deptXX,o=companyYY
Application Security Basics 01-05-24 34
Directory Structure
o=companyYY
ou=deptXX
uid=jj23
uid=abc123
ou=deptAA
uid=abc345dn=uid=jj23,ou=deptXX,o=companyYY
dn=uid=abc123,ou=deptXX,o=companyYY
dn=uid=abc345,ou=deptAA,o=companyYY
Application Security Basics 01-05-24 35
Searching LDAP
LDAP query strings(uid=keys)(& (member=uid=keys,o=ibm,c=us) (objectclass=groupOfNames))(& (member=keys,o=ibm,c=us) (| (objectclass=groupOfNames) (objectclass=groupOfUniqueNames))(& (member=keys,o=ibm,c=us) (objectclass<=groupOfNames))accessible via command line tools, C APIs, and JNDI APIs
Application Security Basics 01-05-24 36
As part of PKICertificates identity users
dn from certificate is looked up in LDAP directory to find principalcan store in LDAP directory, but not needed for secure authentication. CRL may be stored here
Passwords in Directoryenables password authentication where client certificates not practical
LDAP and Security
Application Security Basics 01-05-24 37
Security groupsmany products obtain group memberships from LDAP implicitly and enforce security using themthere are standard schemas for this
Can secure LDAP communication using SSLCan authenticate to LDAP directory (basic & cert)Can place ACLs on directory entries (vendor specific)
LDAP and Security (cont.)
Application Security Basics 01-05-24 38
LDAP etc..
LDAP schema is extensiblethere are industry defined standard schemas
Replication & Failovervendor specificclient's bind to LDAP server via IP address or DNS name
Microsoft's ActiveDirectorybased on LDAP and LDAP queriablemany proprietary extensions
LDAP V3 is currently the latest RFC
Application Security Basics 01-05-24 39
PKI Soapbox
A lot of flexibility hereLots of ambiguityTrivial to create PKI solutions that don't interoperateFocus on the core partsFocus on what is supported by majority of commercial vendorsAvoid trap of creating exotic certificates or directory entries to "improve" on commercial solutions
Application Security Basics 01-05-24 40
PKI Soapbox: Hindrances
Client certificates need smart cards to protect private-key
very slow rolloutvery expensive
Certificate technology still immatureinterop is not guaranteed if use "advanced" featuresCRL not always used. Unclear where to obtain (LDAP, ftp, http, offline, etc)
Good stuff, but be waryApplication Security Basics 01-05-24
41
J2EE 1.2 Security
PrincipalsRolesResourcesDeclarative SecurityProgrammatic SecurityAuthentication MethodsEAR, WAR, and EJB files
Application Security Basics 01-05-24 42
Principals & Roles
Principalsthings that can be authenticated: users, servers, etc.
Rolesan abstraction that represents the ability to do something. Just string names.
Role Mappingthe act of defining the registry entities (users and groups) in the runtime environment corresponding to those roles
Application Security Basics 01-05-24 43
Resources
EJBscan secure access to individual methods: business methods, home methods, etc.
Servletscan secure access to individual "methods": POST, GET, etc
Application Security Basics 01-05-24 44
Declarative Security
"Declarative security refers to the means of expressing an application’s security structure, including security roles, access control, and authentication requirements in a form external to the application." -- J2EE 1.2 spec
Specify access information on resources using roles.
Application Security Basics 01-05-24 45
Programatic Security
Using programming APIs to access security information.Who are you?
java.security.Principal getXXXPrincipal()System.out.println("You are " + getXXXPrincipal.getName());
What can you do? (Are you in this role?)boolean isXXXInRole(String roleName)if (isXXXInRole("manager") { do manager stuff }
ServletgetUserPrincipal & isUserInRole
EJBgetCallerPrincipal & isCallerInRole
Application Security Basics 01-05-24 46
Authentication Methods
Webbasic - standard web HTTP basic auth challengeHTTP Digest - like basic, but password encryptedform - user is redirected to a custom page where user types in username & passwordSSL mutual auth (e.g, certificate)web based single signon is required
Application Clientunspecified (Section 9.2 of J2EE 1.2 spec)
Note that J2EE uses lazy authentication - users are not challenged until they attempt to use a secured resource
Application Security Basics 01-05-24 47
EARs, WARs, and EJBs
J2EE ModulesEJB JAR
contains description of EJBs, code, descriptors (with security information)
WARcontains description of servlets, code, related web "stuff," and descriptors (with security information)
J2EE Application - EARcontains EJB JARs, WARs, code, and descriptors (with security information)
Application Security Basics 01-05-24 48
Security Information in Descriptors
EJBsecurity contraints specifying roles for access to EJB methodsrunAs information - role EJB will execute under (affects future security related actions)
WARsecurity constraints specifying transport rules and roles for access to web resources (URL & method combinations)login info specifying authentication type
EARrole mappings (if needed) for EJBs and WARspointers to EJB and WAR info
Application Security Basics 01-05-24 49
Additional J2EE 1.2 Comments
Includes EJB 1.1 and Servlet 2.2.
Not required or specified by spec:secure interopHTTP digest authenticationclient authentication methodsauditingmapping to OS and other non-J2EE resourcesadmin tools
Application Security Basics 01-05-24 50
Overview & ConceptsConfigurationApplication DeploymentApplication Creation (via AAT)Application Management
WAS Security
Application Security Basics 01-05-24 51
WAS is J2EE 1.2 Compliant
Support J2EE mandated functionalityEAR, WAR, and EJB file formats
Application Assembly Tool (AAT) for creating files with deployment info
Basic, form based login (with extensions), and SSL mutual authPassword based auth for clientsRoles mapped to registryProgramming APIsSSO
Application Security Basics 01-05-24 52
Security Architecture
authentication
Security Services
WAS resources
web serverplug-in
servlet request
authentication challenge(401)
userid, password
web server
securitycollaborator
authorization,delegation
servlet engine
Application Server
EJB container
Invokercredentials
Invokercredentials
ApplicationSecurity andBinding Info
EAR
ApplicationSecurity andBinding Info
security checks
Admin Server
Other ServicesEJB method invocation
(userid, password)
authenticationand authorization
ava Clientpplication Invoker
credentials
Application Security Basics 01-05-24 53
WAS Security
Security RegistryLTPASingle-SignOn (SSO)
Security information specified via admin clients and AAT
Application Security Basics 01-05-24 54
WAS User Registries
Operating SystemNT = Domain, WorkgroupUNIX = /etc/password
LDAPAny LDAP Server using industry standard schemaIBM SecureWay, Netscape, ActiveX, Domino
Customwrite your own registry by implementing our interfaces
Application Security Basics 01-05-24 55
Secure Association Services
The Secure Association Services allows secure delegation within the WebSphere RMI-IIOP frameworkBased on security interceptors within the ORB that create and manage secure associations between client and server objects and principalsLightweight Third Party Authentication (LTPA) is the key
Application Security Basics 01-05-24 56
LTPA
A security server (WAS admin server) is a trusted third partyAuthentication consists of
supplying userid/password or certificate to security serverThe security server creates a unique token
Tokens prove identity of the calling principalIIOP stores token in the "current" context
Support LDAP and Custom registriesSimilar to Kerberos/DCE security in concept
Application Security Basics 01-05-24 57
SSO
Works in conjunction w/ LTPAIssues cookies to web browser to track user authentication informationProvides for SSO within or even between WAS domainsRequired for practical use of "custom login"
My opinion: should always enable unless hate cookies
Application Security Basics 01-05-24 58
Authentication Supported in WAS V4.0
Challenge Type
Authentication Mechanism
User Registry
Client Support
None None None Web,JavaLTPA LDAP, Custom Web, JavaNative OS Native OS Web, Java
Certificate LTPA Web
"Java" clients refers to standalone Java applications and AppletsNote that LTPA is not supported with Native OS
Basic
LDAP, Custom
Application Security Basics 01-05-24 59
Comparison of User Registries in WAS
Local OS has some limitationsNot supported in multi-node environmentLarge number of users requires many accounts
LTPA helps relax many of the restrictionsUses common registry (LDAP or custom) as directory for principals and groups shared among several WAS nodesObtains tokens that can be passed to other WAS instancesNote that LDAP is a standard widely supported directory and should be preferred
Application Security Basics 01-05-24 60
Configuring Security via Security Center GUIlaunched from within admin console (file->security center)
Application Security Basics 01-05-24 61
Properties Related to Security Config Security EnabledSecurity Cache Timeout - how long security information is cached in the runtimeAuthentication Mechanism
Common to allSecurity Server ID & Password
root user ID - must be in registry. Used by WAS to create its own identity for each WAS server: admin and app. Is NOT in any way special to the underlying registry.no correlation to OS process IDis always a plain short name, like 'was'
Local OS Securityuse operating system as registry for validating users
LTPA - next pageuse LTPA as the security mechanism
Application Security Basics 01-05-24 62
Properties Related to Security (cont.)Authentication Mechanism::LTPA
Token Expiration in minutesEnable Single Sign On: tells LTPA to maintain session across requests - cookies in a browser
Domain: limits SSO to servers in a specific domain. Should be something like ".ibm.com"Limit to SSL: for the security conscious, ensures that LTPA token will only be sent over SSL connections
WebSeal - TrustedAssociationstell WAS to recognize user information sent from WebSeal/Policy Director
Key ManagementGenerate Keys: used to change encryption keys for the paranoidImport from File: keys can be imported if shared by other systemsExport to File: needed for import
RegistryLDAP or Custom
Application Security Basics 01-05-24 63
Properties Related to Security (cont.)LTPA with LDAP Registry
Security Server ID and Password: Corresponds to an LDAP directory IDNOT a fully qualified DN. Example: 'was'
Host & Port: Where LDAP server resides (beware, you can't change this). Example 'ldaphost.bigcorp.com'Port defaults to 389
Base Distinguished Name: root of LDAP directory tree for searches (example: o=ibm.com)
Bind Distinguished Name & Password: name WAS should use when authenticating to LDAP for searchonly used if anonymous searches are restrictedExample: 'ldapuser'
Use SSLtells WAS to use SSL connection when talking to LDAP directoryrequires that WAS knows LDAP server's certificate or that they share a common CA.
Application Security Basics 01-05-24 64
Properties Related to Security (cont.)LTPA with LDAP Registry (cont)
Directory Types (supported)Netscape Directory ServerSecureWay Directory ServerLotus Domino 4.6, 5.0Novell NDSMicrosoft ActiveDirectory (via LDAP interface)==> just sets search string rules. Can specify anything with 'Advanced'Advanced:
user filter - (&(uid=%v) ...)group filter - (&(cn=%v) ...)user id map - *:uidgroup id map - *:cngroup member id map - groupOfNames:member;...certificate mapping (used for cert auth)
exact is default, filters are allowed
Application Security Basics 01-05-24 65
Properties Related to Security (cont.)LTPA with Custom Registry
Security Server ID and Password - used to create WAS identity via your registryCustom User Registry Classname
the class WAS will load to use as registryimplements CustomRegistry interface
Application Security Basics 01-05-24 66
Installing J2EE Applications with Admin Console
Chance to specify security on EJB methods w/o security specified
Application Security Basics 01-05-24 67
Installing Applications
Map app roles by specifying users & groups that are in that role
Application Security Basics 01-05-24 68
Installing Applications
Security BindingsYou just specified security bindingsCan also be specified via AATAfter deploying app with bindings, can export J2EE application with binding information (saves time later)
Application Security Basics 01-05-24 70
Creating Applications with Security Info - AAT UsageWAS 4.0 introduces a new tool (AAT) to manage the creation of J2EE modules and applications. The WAS admin infrastructure manages J2EE modules and applications, not individual components.
Application Security Basics 01-05-24 71
You can use the AAT to construct J2EE EAR files from individual J2EE modules. 3 types of modules:
web modules (.war files) servlets, JSPs.. DD: WEB-INF/web.xml
EJB modules (EJB .jar files) DD: META-INF/ejb-jar.xml
J2EE Application Clients (.jar files) DD: META-INF/application-client.xml
Application Assembly Tool (AAT)
Application Security Basics 01-05-24 72
Things You can do with the AATLoad J2EE modules and applicationsEdit deployment descriptor Information (including security information)Assemble J2EE application composed of J2EE modules Edit the Binding InformationConvert EJB JAR files from 1.0 to 1.1 format (implicit)Create WAR & EJB JAR files
Application Assembly Tool (cont..)
Application Security Basics 01-05-24 73
Setting Security Properties via AAT
J2EE modules:WAREJB
J2EE applications - EAR
Application Security Basics 01-05-24 74
WAR Security Properties
Using AAT, specifySecurity RolesSecurity Constraints
roles that this applies totransport restrictions (none, integrity, confidential)Web Resource Collections
URL patterns (can be more than one)HTTP Methods (GET, POST, DELETE, etc)
WAR level security infosession timeoutauthentication method: none, basic, form, cert
Application Security Basics 01-05-24 75
EJB Security Properties
Using AAT, specifySecurity RolesMethod Permissions
what roles can call what methods (Home and Remote)
Application Security Basics 01-05-24 79
EAR Security Properties
Security Rolesnormally, just an implicit combination of WAR and EJB rolesbindings (to registry) for those roles
Application Security Basics 01-05-24 81
Management: Changing Role Information Later
Use Security Center to edit role mappingsrunAs mappings
Application Security Basics 01-05-24 82
WebSphere 4.0 AE: Role Mapping GUI
Get Security Roles for the Application
(EAR)
Bind Role to Users, Groups,
Special Subjects
Application Security Basics 01-05-24 83
WebSphere 4.0 AE: "Run As Role" Mapping GUI
Specify ONLY ONE USER for
the Role
Application Security Basics 01-05-24 84
Default Security for Resources
Watch out:
WAS 3.5.x WAS 4.0
Security NOT defined for any method in EJB, servlet
EJB: DeniedWeb-Resource: Grant
EJB: GrantWeb-Resource: Grant
Default setting for methods with NO security definition in resources, where at least 1 method has Security defined
EJB: DeniedWeb-Resource: Grant
EJB: DeniedWeb-Resource: Grant
Application Security Basics 01-05-24 85
Function Responsibity Tool
Security role names used internally within the code Developer VAJ, Editor
Specify Security Roles Application Assembler AAT
Method Permissions, Security Constraints, Authentication Info
Application Assembler AAT
Security Role Binding to Principal
UserGroupSpecial Subjects
Application Installer AAT, Admin Console
Principal mapping for inter-enterprise bean calls (RUN-AS)
Application Installer Admin Console
WebSphere 4.0: Security Responsibilities
Application Security Basics 01-05-24 86
Edition Differences: Security
AE - "full" WASsupports everything we've discussed
AEs - single server editionsingle JVM, single node configurationno LTPA, no LDAP, no custom registry, no Trusted Associationsuses web based admin GUI (similar function)
AEd - single server developer editionsame as AEs
Application Security Basics 01-05-24 87
WebSphere AE Single Server Architecture
Java Client Application
Web Browser Console
Plug-In
HTTP Server
Application Database
HTTP(S)
HTTP(S)
IIOP
HTTPAdministrative Server
Enterprise Bean
EJB Container
Application Server
server-cfg.xml
Single Server uses xml file for repository
Client Container
Single JVM
Web Browser
Client
Servlet
JSP
Web Container
Embedded HTTP Server
plugin-cfg.xml
Application Security Basics 01-05-24 88
WebSphere Advanced Edition Architecture
Java Client Application
Java Admin
Console
Plug-In
HTTP Server
Application Database
Administrative Repository
HTTP(S)
HTTP(S)
IIOP
IIOPAdministrative Server - JVM
Enterprise Bean
EJB Container
Application Server - JVM
Multi Server uses database for repository
XMLConfig
WebSphere Control Program (WSCP)
Servlet
JSP
Web Container
Embedded HTTP Server
Web Browser
Client
plugin-cfg.xml
Application Security Basics 01-05-24 89
Advanced Edition Feature Comparison
Feature AEs Single Server Production
AEd Single Server Developer Edition
AE Production
Production certified Yes No Yes
Browser-based administration Yes Yes No
Multi-node administration No No Yes
Database backed administration No No Yes
Distributed security No No Yes
Workload management No No Yes
Clustering / cloning No No Yes
Dynamic caching No No Yes
Directory services No No Yes
Enterprise Extensions integration No No Yes
Application Security Basics 01-05-24 90
WAS Advanced Topics
VAJ 4.0 supportCustom registriesSecurity IntegrationDatabasesInstance Based AuthorizationProperty filesSamples, Odds and endsNetwork security
Application Security Basics 01-05-24 91
VAJ Support
VAJ 4.0 is the version of VAJ for WAS 4.0, however
at EJB 1.0/WAS 3.5.3 levelcan export EJB 1.1 compliant JARscan export WAS 4.0 CMP mapping infoEJB 1.0 programming APIs
no isXXXInRole()need AAT to specify J2EE info
future VAJ update (later this year) needed for full WAS 4.0 support
Application Security Basics 01-05-24 92
Implement the CustomRegistry interface and configure via admin tools.
Some of the methods of CustomRegistry interface:// User-related methodspublic boolean isValidUser(String securityName)public List getUsers()public List getUsers(String pattern)public String getUserDisplayName(String securityName)public String getUniqueUserId(String securityName)
// Group-related methods ... // Similar to user methods
// Authentication methodspublic String checkPassword(String userId, String password)public String mapCertificate(X509Certificate cert)
Custom Registries
Application Security Basics 01-05-24 93
Issue: Integration
WAS prefers to do authentication itself. However, it can be told to "trust" other authentication systems: TrustedAssociation
Write custom plug-in Java code that WAS calls when identifying user web request. WAS will trust your code to identify userWAS will still do authorization against registry (LDAP or custom)You are extending your Trust domain. Be careful.Explicit support for PolicyDirector/WebSeal via TrustedAssociations
Application Security Basics 01-05-24 94
Policy Director at 100,000 feet
Front-end proxy that authenticates users and creates credentialsFront-end authorization engine that controls access to web URLs (doesn't help with EJBs)Back-end powerful rules engine for complex authorization
DB
Admin
App Server
Web Server
WebBrowser
DB protocol
DB protocol
IIOP/SSLHTTP/SSLHTTP/SSL
LDAPDirectory
LDAP/SSL
PD/WebSEAL
HTTP/SSL
LDAP/SSL
HTTP/SSL
Application Security Basics 01-05-24 95
PD and WAS - the net
WAS can trust PD authentication using TrustedAssociationsWAS does not use PD authz API for authorization (yet)
can custom codePD can't authorize access to EJBs
==> Need WAS security even when using PD
Application Security Basics 01-05-24 96
Issue: Conflicts between Database and Application Security ModelsWAS knows the user's identity. The DB does not.All DB connections use a connection pool with a common identityOptions:
get over itbuild custom audit functions that audit true user idrely on DB specific and proprietary SQL for changing connection identity. Not going to work with CMP beans.
Application Security Basics 01-05-24 97
Issue: Instance based authorization
WAS does class based or type based authorization, not instance basedUse isXXXInRole() to build your own instance access controls. Rely on WAS to do authentication and simple authorization to application
Application Security Basics 01-05-24 98
Issue: WAS property files
WAS property files contain sensitive informationWAS masks passwordsprotect the filesystemcan undermine WAS security if people can read or modify this (production issue)
Application Security Basics 01-05-24 99
Issue: WAS Default Server
Default Server has great examples, but not suitable for production
snoopshowCfg
Do not install in production. Certainly, do not run in production.
Application Security Basics 01-05-24 100
Issue: Odds and Ends
Enable security or anyone can administer WAS domain with WAS admin tools.Do not use "serve servlets by classname." Otherwise, any class on classpath can be executed remotely. Very dangerous.Protect WAS' private key
this means, don't use the DummyKeyRing that ships with WAS
Application Security Basics 01-05-24 101
Issue: Network Security
Link from plug-in to WAS can be encrypted (look at plugin-cfg.xml and Web Container Service on app server)DB traffic is not protectedLDAP traffic is clear text by default
DB
Admin
App Server
Web Server
AdminClient
WebBrowser
DB protocol
IIOP/SSL
DB protocol
IIOP/SSL
HTTP/SSLHTTP/SSL
LDAPDirectory
LDAP/SSL
Application Security Basics 01-05-24 102
Looking Forward
Further out (all tentative)JAASmore Policy Director integrationKerberos supportbetter security integration with S/390
Application Security Basics 01-05-24 103
Final Security Considerations
Think about your security infrastructure. It is often more vulnerable than people think.Leverage your corporate LDAP infrastructure. Do not create islands.Beware extending your trust domain
==> Think hard about security. It is hard.
Application Security Basics 01-05-24 104
Using IkeymanConfiguring IBM HTTP to use SSLAdding user to SecureWay LDAPAdding Certificate to web browserBasic AuthenticationJava JNDI accessClients: java, wscp, XMLConfig, etc.
Examples
Application Security Basics 01-05-24 105
Certificates via Ikeyman
Many IBM products share common (Java) certificate infrastructureThe tool for manipulating the key databases needed by these products is IKeymanIKeyman
tool for managing key databasestool for requesting & importing certstool for important CA certscreating self-signed certs
Beware: there are multiple versions of Ikeyman shipping with different products. They are not always compatible.
Application Security Basics 01-05-24 106
Certificates via IkeymanTo create a key database suitable for use with a product:
Create key databaseKey Database/NewUse a JKS database (.jks) for most new things (new ikeyman)Use a CMS database (.kdb) for the WAS plug-in (old ikeyman)Stash file (holding password) is optional
If needed, import signer certificate (the CA's)Add...
Create personal certificate requestNew...
Import certificateReceive...
For testing, you can also create a self-signed cert
Application Security Basics 01-05-24 107
Configure SSL (IBM HTTP)
Add the SSL moduleBasic Settings/Module Sequence, then add module "ibm_ssl"
Enable SSLSecurity/Server Security, then select SSL and provide name of key database you just created with IkeymanSpecify server auth or client and server authSpecify keyfile password if no stash file
Note that this will require updating virtual host alias in WAS to support new port number
Application Security Basics 01-05-24 109
Adding Users to SecureWay LDAP
using Directory Management Tool (DMT)Browse treeSelect basedn for userClick addSelect userEnter required information (bold)
Application Security Basics 01-05-24 110
LDAP Entries Advice
To create an LDAP entry for userDN should follow organizational policyA UID as part of entry is recommended
using CN is a bad idea as common names are not unique!
A password if supporting basic-auth is required
Create/Add user to appropriate groupOfNames entries
Application Security Basics 01-05-24 111
Create private/public key pair and request certificate (many CAs do this in one step)Add private key & certificate to browser (a PKCS12 file)
Security/Certificates/Yours/Import a certificateThis should implicitly load the CA cert as well
Note: not needed if web server cert signed by well known CA and not using client certs
Browser Configuration: New Certificate (Netscape)
Application Security Basics 01-05-24 114
Basic Authentication
The "Basic" Authentication protocol is used by web servers to request a userid and password
This information is then passed back and forth with every HTTP request and response
HTTP Request
Prompt for Password
HTTP Request with authorization header
Header verified, HTTP Response
Application Security Basics 01-05-24 115
Basic Auth: Authorization Header
The authorization information (user, password) is stored in the "Authorization" headerThe information is base 64 encoded in the form [scheme user:password]Servlets can access this informationClients (Applets or Applications) can write this information
Application Security Basics 01-05-24 116
Basic Auth: Getting to the Header (Servlet)
String encodedString = req.getHeader("Authorization");if (encodedString == null) {
System.out.println("no authorization header");return;
}
Application Security Basics 01-05-24 117
import com.ibm.ejs.security.util.*;
StringTokenizer stz = new StringTokenizer(encodedString);
// skip "Basic"String schemeType = stz.nextToken();// user:password base64 encodedString userPassEncoded = stz.nextToken();String userPassString = Base64Coder.base64Decode(userPassEncoded);StringTokenizer st = new StringTokenizer(userPassString, ":");if (st.hasMoreTokens())
String user = st.nextToken();if (st.hasMoreTokens())
String password = st.nextToken();
Basic Auth: Decoding Example (servlet)
Application Security Basics 01-05-24 118
Basic Auth: Setting the Header (Applet)
import com.ibm.ejs.security.util.*;
public class HeaderEncoder {private static String AUTH_STRING = "Basic "; // note the spaceprivate static String AUTH_NAME = "Authorization";
public static void setAuthorizationHeader(URLConnection conn, String name, String pwd) {
String toEncode = name + ":" + password; String encodedString = Base64Coder.base64Encode(toEncode); String outputString = AUTH_STRING + encodedString; conn.setRequestProperty(AUTH_NAME, outputString);
}}
Application Security Basics 01-05-24 119
Basic Authentication Summary
In this section, we've seenHow Basic authentication worksHow to obtain username and password from the Authorization headerHow to set the authorization header
Application Security Basics 01-05-24 120
LDAP via JNDIimport javax.naming.*; import javax.naming.directory.*;
//gets all groups the given user (specified by dn) is a member ofDirContext ctx = new InitialDirContext(props);SearchControls control = new SearchControls();control.setSearchScope(SearchControls.SUBTREE_SCOPE);control.setReturningAttributes( {"cn"} ); //a string array//looking for entries w/ matching dn starting as member.String queryString = "(& (member=" + dn + ") (objectclass=groupOfNames))";
NamingEnumeration results = ctx.search(basedn, queryString, control);while (results.hasMore()) {
System.out.print(", ");System.out.print(
((SearchResult) results.nextElement()).getName());}
Application Security Basics 01-05-24 121
Client Access
Java Client
Program
Enterprise Java Bean
RMI over IIOP over SSL
WAS Server
admin consolewscpXMLConfigcustom app
Application Security Basics 01-05-24 122
Implementing Client Access
WAS supports Java clients directly connecting to EJB'sAuthentication information is carried in the IIOP context
Must be supplied by the client programCan be supplied from properites, through a dialog box, or command line prompting
Also should provide a KeyRing to encrypt the IIOP messages (used by SSL)
Application Security Basics 01-05-24 123
Setting up authentication
WAS authenticates Java clients using password based authenticationYou must set up three parts of the client application
The security classes must be on the classpathThe program must specify the needed properties (usually by pointing to a SAS configuration file)
Application Security Basics 01-05-24 124
Client Properties File
You can begin by copying the sas.client.props file from /WebSphere/AppServer/propertiescom.ibm.CORBA.loginSource can have three values: prompt, standard-in, and properties.
properties - two properties, loginUserId and loginPassword are used for user auth
Note: you can set these programmaticallyprompt - a popup dialog box at program startup prompts for a userid and password (only useful with GUI app)standard-in - a command line prompt asks for userid and password
Application Security Basics 01-05-24 125
com.ibm.CORBA.securityEnabled=truecom.ibm.CORBA.loginSource=promptcom.ibm.CORBA.loginTimeout=300com.ibm.CORBA.loginUserid=com.ibm.CORBA.loginPassword=com.ibm.CORBA.keytabFileName=C:/WebSphere/AppServer40/etc/keytab5com.ibm.CORBA.SSLTypeIClientAssociationEnabled=truecom.ibm.CORBA.SSLTypeIServerAssociationEnabled=truecom.ibm.CORBA.SSLKeyRing=C:/WebSphere/AppServer40/etc/DummyKeyring.jkscom.ibm.CORBA.SSLKeyRingPassword=WebAScom.ibm.CORBA.SSLServerKeyRing=C:/WebSphere/AppServer40/etc/DummyKeyring.jkscom.ibm.CORBA.SSLServerKeyRingPassword=WebAScom.ibm.CORBA.SSLV3SessionTimeout=9600com.ibm.CORBA.standardPerformQOPModels=confidentialitycom.ibm.CORBA.standardClaimQOPModels=integritycom.ibm.CORBA.bootstrapRepositoryLocation=nonecom.ibm.CORBA.authenticationTarget=BasicAuthcom.ibm.CORBA.disableSecurityDuringBootstrap=false
Sample sas.client.props Contents
Application Security Basics 01-05-24 126
Client StartupThe WAS admin tools (wscp, XMLConfig, etc) use sas.client.props. You may wish to copy this file and edit it for your needs as just described. If you do, you'll need to edit the startup scripts (.bat or .sh).You can also write new Java clients and run them
java -classpath %WAS_CP%;MyJar.jar;. -Dcom.ibm.CORBA.ConfigURL=file:/E:\MyApp\sas.myapp.props com.ibm.myApp.myApp
Note: you may wish to add '-Dcom.ibm.CORBA.principalName="clientXXX" '. This name will be used in WebSphere tracing and may be useful for debugging.
Application Security Basics 01-05-24 127
Security Reminder for SSL
You can use the "dummyKeyRing" that ships with WAS on your clients. However you are exposing the WAS private key to the clients.
Application Security Basics 01-05-24 128
Summary
We've outlined all of the core security issuesthere is much more to learn: policy based authorization tools, LDAP configuration, directory management, CA management, etc..there is a white paper authored by Keys Botzum "Enterprise Application Security" that overlaps with this presentation and provides more detail, however it is based on WAS 3.5.
Application Security Basics 01-05-24 129
ReferencesSSL
http://developer.netscape.com/docs/manuals/security/sslin/index.htmJ2EE 1.2, EJB 1.1, and Servlet 2.2 specs
http://java.sun.comAcknowledgements
Kyle Brown - coauthor of original presentationWAS Development Personel - answered my questionsWAS Education Group - I borrowed some slides from them
References & Acknowledgements
Application Security Basics 01-05-24 130