application security: websphere application … security: websphere application server (was) 4.0...

Application Security: WebSphere Application

Server (WAS) 4.0

Keys Botzum, Senior Consulting I/T Specialist IBM Software Services for e-business

[email protected]://www.transarc.ibm.com/~keys/

WAS 4.0, May 2001Application Security Basics 01-05-24 1

Definition of application securityBasic security conceptsSecurity technologiesJ2EE 1.2 SecurityWebSphere Application Server (WAS) specificsWAS Advanced Security TopicsExamples: using various tools and programming issues

This will give you a taste of all the issues. This is a survey of security not deep training in the technologies themselves. Security is a very hard problem.

Agenda

Application Security Basics 01-05-24 2

Network securityFirewallsIntrusion detectionVirus scanning

all important, but not covered deeply here

What is not Application Security?


Perspective of implementers creating applications to solve problemsApplications

use a variety of COTS products (web servers, databases, application servers, operating systems, etc.)involve anywhere from no programming (web pages on web site) to substantial programming

What is Application Security?


The Problem: Distributed Security

Some process (the client) initiates communication with some process (the server)How can client and server form a secure trusted communication path??

ServerClient


The Basic Steps

CA R2R1

ServerClient

-user registry-CRL

7 65

4

2 -CA cert- server private key- server cert

-CA cert- user private key- user cert

3


1. secure transport2. server identifies itself to the client3. client validates identification using trusted technique.4. client identifies itself to the server5. server validates identification using trusted technique.

The server may use a user registry for this purpose.6. server obtains authorization information for the user

from some registry. 7. server enforces access to its resources based on the

user's authorization information. Note:

SSL combines 1, 2, 3, possibly 4 & 5.Security policy tools combine 6 & 7.

Key Steps


There are several key concepts involved in application security:

AuthenticationAuthorizationTrustDelegationData Protection

ConfidentialityData Integrity

Security Concepts


Prove who you are (steps 2-4)Identification

exchange proof of identitybased on a secret

Validationverify identityassociates with Principal Authenticated

Identification

challenge user

Authentication Data(uid/pw,cert,token)

User Registry

AuthenticationData Credentials

CredentialsCredentialsAuthenticated

Authentication

Validation


Authorization

Control access to resources (steps 5 & 6)Security Lookup (by server)

determine security privileges for principalinformation stored in registry

Rule Enforcement (by server)obtain rules from registrygiven privileges & rules, determine access

ServerClient

userX, opY

userX??

Rules

opY???

UserRegistry

decide


Trust

Ultimately in any secure system, something must be trusted.

Kerberos - the KDC is trusted to verify passwords & issue credentialsPKI - the CA is trusted to issue valid certificatesPassword Authentication - user registry is trusted to verify passwordsWebSphere - the security server (part of the admin server process) is trusted to issue LTPA tokens


Trust - Concepts

Least Trustto limit risk, trust the fewest things possible and work hard to secure them.

Trust Domaina collection of servers, processes, machines, etc., that are part of same security infrastructure and trust same thing.DCE Cell, Kerberos Realm, WebSphere Domain, Sun NIS Domain, Windows Domain, etc.


Delegation

Server 1Client Server 2id X id ???

Server 1 acts on behalf of client. Options:1. Server 2 trusts Server 1 and Server 1 does all

security checks2. Server 2 trusts Server 1 to identify client and

Server 2 does authorization checks3. Securely delegate id X through Server 1 to

Server 2Application Security Basics 01-05-24

13

Delegation


Risks/Issues(Option 1) Server 1 must understand all access

controls needed by Server 2(Options 1 & 2) Server 2 trusts Server 1 to

identity client(Option 3) Strongest security, but how can we

delegate securely?


Delegation


Security Server

Server 1 validates user using Security ServerSecurity Server issues credentialServer 1 and Server 2 trust Security Server

issued credentials to identify principalsServer 1 & Server 2 are in same Trust Domain


Confidentialityencrypt data on the wire so it can not be seen. Implies Integrity since encrypted data can not be modified.

Data Integritygenerate secure checksums of data before sending so data can not be modified without detection

SSL (and thus WAS) supports both.

Data Protection


Public-key cryptographyCertificatesSSL & HTTPSPKILDAP

Security Technologies


Public-Key Cryptography

Two keys that are cryptographically relatedPublic-key

can share with everyonePrivate-key

must never be shared. Possession is proof.Asymmetric

given message encrypted with one key & posses other key, can decrypt messagesymmetric/secret key technology uses same key for encrypt and decrypt


Public-Key for AuthenticationExample

Create key pair: Public (K), Private (P)Client C wants to authenticate Server SC encrypts Message (M) using Public Key (K) creating K(M) and sends to SS decrypts K(M) using Private Key (P)S then demonstrates to C that message understoodIf C knows K goes with S, then C know S's identity Issue: where did K come from?

CA issues digitally signed certificates containing Kif trust CA, can trust that K is really for S


Certificates

A Certificate is a public key with additional identification information

Subject info - distinguished name, serial numIssuer/CA info - distinguished namearbitrary attributes(opinion) rely on Subject & CA info only

Digitally signed using CA private keyCA public key distributed in trusted way

use CA public key to verify certificatesmust be certain CA public key is CA's


CA

Certificate Usage (Client Identifies Server)

public privateprivatepublic

Cert publicCA Certpublic

Sign

Secure

Trusted

Client Server

MSGprivatepublic

Certpublic


Certificate Usage

For one peer to identify anotherauthenticator (the one doing the authentication) must posses CA certificateinitiator (the one being identified) must posses identity certificate signed by same CA and corresponding private key

Certificates & private keys distributed out-of-bandIdentity certificates presented to peer during authentication (since digitally signed)


SSL

Understand what SSL isUnderstand how SSL is used by HTTPSUnderstand how SSL is used by WAS


What is SSL?

SSL stands for Secure Sockets LayerSSL provide provides connection security through:

Communication privacy - the data on the connection can be encrypted.Communication integrity - the protocol includes a built-in integrity check. Authentication - the client can authenticate the server and vice versa through the exchange of digital certificates


SSL Authentication

Client ServerClient Requests SSL Connection

Server Presents Certificate, Requests Client Certificate

Client Verifies Server Certificate,Presents Client Certificate

Server Verifies Client Certificate

HTTP Request

HTTP Response


HTTPS

HTTPS is HTTP over an SSL layerA web server must be set up to support HTTPSRequires a server certificate for authenticationListens (by default) on for 443.If using client authentication, web server validates client's certificate


SSL and HTTPS in WAS

For browser clients, SSL client communication is handled by the Web Server

Establishes an HTTPS link, performs certificate exchangeNote: WAS still does username/password authentication, but not certificate authentication (relies on web server)

When security is enabled in WASIIOP between the admin server and between application servers is encrypted with SSLJava clients also use IIOP over SSLAdmin clients use IIOP over SSL


Public Key Infrastructure (PKI)

PKI - the whole infrastructure that makes public-key security work

Based on public/private key cryptographyCertificate Authority (CA)Registration Authority (RA)PKI enabled applicationsDirectory (optional)


PKI

Registration Authority

Certificate Authority

LDAP Directory

Application Server

request

approvedrequest

cert &CRL

cert

cert

cert

= off line/manual


Certificate Authority

RA usually verifies identity somehowemail address, etc.badge/human verificationtells CA is issue certificate

CApublishes certificates which are signed by itpublishes Certificate Revocation List

list of certificates no longer validNeither is involved in runtime authentication


LDAP

LDAP = Lightweight Directory Access Protocol"lightweight" subset of x.500 DAPpopular & widely support directory interfaceclient only specificationa way for client applications to query for information

A directory is like a database, butoptimized for read accesstends to store different kinds of informationsearch via LDAP query strings, rather than SQL


LDAP

An LDAP directory stores entries which are collections of attributesAttribute is a key (multi-)value pair.

Entry

attribute

attribute

attribute

attribute

type

value value


Globally unique name of an EntryComposed of Relative DNs (RDN) which are just key-value pairsExamples:

uid=keys,o=ibm.com,c=usuid=kdbotzu,ou=DoD,o=U.S. Government,c=uscn=Keys Botzum,o=fred

Distinguished Name


Entry Examples

uid=keys,o=fredcn=Keys BotzumtelephoneNumber=xxx-xxxxuserPass=secret

uid=jj23,ou=deptXX,o=companyYYcn=John Q CompanyuserPass=hidden

cn=managers,ou=groups,o=companyYYmember=uid=jj23,ou=deptXX,o=companyYY


Directory Structure

o=companyYY

ou=deptXX

uid=jj23

uid=abc123

ou=deptAA

uid=abc345dn=uid=jj23,ou=deptXX,o=companyYY

dn=uid=abc123,ou=deptXX,o=companyYY

dn=uid=abc345,ou=deptAA,o=companyYY


Searching LDAP

LDAP query strings(uid=keys)(& (member=uid=keys,o=ibm,c=us) (objectclass=groupOfNames))(& (member=keys,o=ibm,c=us) (| (objectclass=groupOfNames) (objectclass=groupOfUniqueNames))(& (member=keys,o=ibm,c=us) (objectclass<=groupOfNames))accessible via command line tools, C APIs, and JNDI APIs


As part of PKICertificates identity users

dn from certificate is looked up in LDAP directory to find principalcan store in LDAP directory, but not needed for secure authentication. CRL may be stored here

Passwords in Directoryenables password authentication where client certificates not practical

LDAP and Security


Security groupsmany products obtain group memberships from LDAP implicitly and enforce security using themthere are standard schemas for this

Can secure LDAP communication using SSLCan authenticate to LDAP directory (basic & cert)Can place ACLs on directory entries (vendor specific)

LDAP and Security (cont.)


LDAP etc..

LDAP schema is extensiblethere are industry defined standard schemas

Replication & Failovervendor specificclient's bind to LDAP server via IP address or DNS name

Microsoft's ActiveDirectorybased on LDAP and LDAP queriablemany proprietary extensions

LDAP V3 is currently the latest RFC


PKI Soapbox

A lot of flexibility hereLots of ambiguityTrivial to create PKI solutions that don't interoperateFocus on the core partsFocus on what is supported by majority of commercial vendorsAvoid trap of creating exotic certificates or directory entries to "improve" on commercial solutions


PKI Soapbox: Hindrances

Client certificates need smart cards to protect private-key

very slow rolloutvery expensive

Certificate technology still immatureinterop is not guaranteed if use "advanced" featuresCRL not always used. Unclear where to obtain (LDAP, ftp, http, offline, etc)

Good stuff, but be waryApplication Security Basics 01-05-24

41

J2EE 1.2 Security

PrincipalsRolesResourcesDeclarative SecurityProgrammatic SecurityAuthentication MethodsEAR, WAR, and EJB files


Principals & Roles

Principalsthings that can be authenticated: users, servers, etc.

Rolesan abstraction that represents the ability to do something. Just string names.

Role Mappingthe act of defining the registry entities (users and groups) in the runtime environment corresponding to those roles


Resources

EJBscan secure access to individual methods: business methods, home methods, etc.

Servletscan secure access to individual "methods": POST, GET, etc


Declarative Security

"Declarative security refers to the means of expressing an application’s security structure, including security roles, access control, and authentication requirements in a form external to the application." -- J2EE 1.2 spec

Specify access information on resources using roles.


Programatic Security

Using programming APIs to access security information.Who are you?

java.security.Principal getXXXPrincipal()System.out.println("You are " + getXXXPrincipal.getName());

What can you do? (Are you in this role?)boolean isXXXInRole(String roleName)if (isXXXInRole("manager") { do manager stuff }

ServletgetUserPrincipal & isUserInRole

EJBgetCallerPrincipal & isCallerInRole


Authentication Methods

Webbasic - standard web HTTP basic auth challengeHTTP Digest - like basic, but password encryptedform - user is redirected to a custom page where user types in username & passwordSSL mutual auth (e.g, certificate)web based single signon is required

Application Clientunspecified (Section 9.2 of J2EE 1.2 spec)

Note that J2EE uses lazy authentication - users are not challenged until they attempt to use a secured resource


EARs, WARs, and EJBs

J2EE ModulesEJB JAR

contains description of EJBs, code, descriptors (with security information)

WARcontains description of servlets, code, related web "stuff," and descriptors (with security information)

J2EE Application - EARcontains EJB JARs, WARs, code, and descriptors (with security information)


Security Information in Descriptors

EJBsecurity contraints specifying roles for access to EJB methodsrunAs information - role EJB will execute under (affects future security related actions)

WARsecurity constraints specifying transport rules and roles for access to web resources (URL & method combinations)login info specifying authentication type

EARrole mappings (if needed) for EJBs and WARspointers to EJB and WAR info


Additional J2EE 1.2 Comments

Includes EJB 1.1 and Servlet 2.2.

Not required or specified by spec:secure interopHTTP digest authenticationclient authentication methodsauditingmapping to OS and other non-J2EE resourcesadmin tools


Overview & ConceptsConfigurationApplication DeploymentApplication Creation (via AAT)Application Management

WAS Security


WAS is J2EE 1.2 Compliant

Support J2EE mandated functionalityEAR, WAR, and EJB file formats

Application Assembly Tool (AAT) for creating files with deployment info

Basic, form based login (with extensions), and SSL mutual authPassword based auth for clientsRoles mapped to registryProgramming APIsSSO


Security Architecture

authentication

Security Services

WAS resources

web serverplug-in

servlet request

authentication challenge(401)

userid, password

web server

securitycollaborator

authorization,delegation

servlet engine

Application Server

EJB container

Invokercredentials

Invokercredentials

ApplicationSecurity andBinding Info

EAR

ApplicationSecurity andBinding Info

security checks

Admin Server

Other ServicesEJB method invocation

(userid, password)

authenticationand authorization

ava Clientpplication Invoker

credentials


WAS Security

Security RegistryLTPASingle-SignOn (SSO)

Security information specified via admin clients and AAT


WAS User Registries

Operating SystemNT = Domain, WorkgroupUNIX = /etc/password

LDAPAny LDAP Server using industry standard schemaIBM SecureWay, Netscape, ActiveX, Domino

Customwrite your own registry by implementing our interfaces


Secure Association Services

The Secure Association Services allows secure delegation within the WebSphere RMI-IIOP frameworkBased on security interceptors within the ORB that create and manage secure associations between client and server objects and principalsLightweight Third Party Authentication (LTPA) is the key


LTPA

A security server (WAS admin server) is a trusted third partyAuthentication consists of

supplying userid/password or certificate to security serverThe security server creates a unique token

Tokens prove identity of the calling principalIIOP stores token in the "current" context

Support LDAP and Custom registriesSimilar to Kerberos/DCE security in concept


SSO

Works in conjunction w/ LTPAIssues cookies to web browser to track user authentication informationProvides for SSO within or even between WAS domainsRequired for practical use of "custom login"

My opinion: should always enable unless hate cookies


Authentication Supported in WAS V4.0

Challenge Type

Authentication Mechanism

User Registry

Client Support

None None None Web,JavaLTPA LDAP, Custom Web, JavaNative OS Native OS Web, Java

Certificate LTPA Web

"Java" clients refers to standalone Java applications and AppletsNote that LTPA is not supported with Native OS

Basic

LDAP, Custom


Comparison of User Registries in WAS

Local OS has some limitationsNot supported in multi-node environmentLarge number of users requires many accounts

LTPA helps relax many of the restrictionsUses common registry (LDAP or custom) as directory for principals and groups shared among several WAS nodesObtains tokens that can be passed to other WAS instancesNote that LDAP is a standard widely supported directory and should be preferred


Configuring Security via Security Center GUIlaunched from within admin console (file->security center)


Properties Related to Security Config Security EnabledSecurity Cache Timeout - how long security information is cached in the runtimeAuthentication Mechanism

Common to allSecurity Server ID & Password

root user ID - must be in registry. Used by WAS to create its own identity for each WAS server: admin and app. Is NOT in any way special to the underlying registry.no correlation to OS process IDis always a plain short name, like 'was'

Local OS Securityuse operating system as registry for validating users

LTPA - next pageuse LTPA as the security mechanism


Properties Related to Security (cont.)Authentication Mechanism::LTPA

Token Expiration in minutesEnable Single Sign On: tells LTPA to maintain session across requests - cookies in a browser

Domain: limits SSO to servers in a specific domain. Should be something like ".ibm.com"Limit to SSL: for the security conscious, ensures that LTPA token will only be sent over SSL connections

WebSeal - TrustedAssociationstell WAS to recognize user information sent from WebSeal/Policy Director

Key ManagementGenerate Keys: used to change encryption keys for the paranoidImport from File: keys can be imported if shared by other systemsExport to File: needed for import

RegistryLDAP or Custom


Properties Related to Security (cont.)LTPA with LDAP Registry

Security Server ID and Password: Corresponds to an LDAP directory IDNOT a fully qualified DN. Example: 'was'

Host & Port: Where LDAP server resides (beware, you can't change this). Example 'ldaphost.bigcorp.com'Port defaults to 389

Base Distinguished Name: root of LDAP directory tree for searches (example: o=ibm.com)

Bind Distinguished Name & Password: name WAS should use when authenticating to LDAP for searchonly used if anonymous searches are restrictedExample: 'ldapuser'

Use SSLtells WAS to use SSL connection when talking to LDAP directoryrequires that WAS knows LDAP server's certificate or that they share a common CA.


Properties Related to Security (cont.)LTPA with LDAP Registry (cont)

Directory Types (supported)Netscape Directory ServerSecureWay Directory ServerLotus Domino 4.6, 5.0Novell NDSMicrosoft ActiveDirectory (via LDAP interface)==> just sets search string rules. Can specify anything with 'Advanced'Advanced:

user filter - (&(uid=%v) ...)group filter - (&(cn=%v) ...)user id map - *:uidgroup id map - *:cngroup member id map - groupOfNames:member;...certificate mapping (used for cert auth)

exact is default, filters are allowed


Properties Related to Security (cont.)LTPA with Custom Registry

Security Server ID and Password - used to create WAS identity via your registryCustom User Registry Classname

the class WAS will load to use as registryimplements CustomRegistry interface


Installing J2EE Applications with Admin Console

Chance to specify security on EJB methods w/o security specified


Installing Applications

Map app roles by specifying users & groups that are in that role



Map RunAs roles to user in registry



Security BindingsYou just specified security bindingsCan also be specified via AATAfter deploying app with bindings, can export J2EE application with binding information (saves time later)


Creating Applications with Security Info - AAT UsageWAS 4.0 introduces a new tool (AAT) to manage the creation of J2EE modules and applications. The WAS admin infrastructure manages J2EE modules and applications, not individual components.


You can use the AAT to construct J2EE EAR files from individual J2EE modules. 3 types of modules:

web modules (.war files) servlets, JSPs.. DD: WEB-INF/web.xml

EJB modules (EJB .jar files) DD: META-INF/ejb-jar.xml

J2EE Application Clients (.jar files) DD: META-INF/application-client.xml

Application Assembly Tool (AAT)


Things You can do with the AATLoad J2EE modules and applicationsEdit deployment descriptor Information (including security information)Assemble J2EE application composed of J2EE modules Edit the Binding InformationConvert EJB JAR files from 1.0 to 1.1 format (implicit)Create WAR & EJB JAR files

Application Assembly Tool (cont..)


Setting Security Properties via AAT

J2EE modules:WAREJB

J2EE applications - EAR


WAR Security Properties

Using AAT, specifySecurity RolesSecurity Constraints

roles that this applies totransport restrictions (none, integrity, confidential)Web Resource Collections

URL patterns (can be more than one)HTTP Methods (GET, POST, DELETE, etc)

WAR level security infosession timeoutauthentication method: none, basic, form, cert


EJB Security Properties

Using AAT, specifySecurity RolesMethod Permissions

what roles can call what methods (Home and Remote)


EJB Security Properties


EAR Security Properties

Security Rolesnormally, just an implicit combination of WAR and EJB rolesbindings (to registry) for those roles


Management: Changing Role Information Later

Use Security Center to edit role mappingsrunAs mappings


WebSphere 4.0 AE: Role Mapping GUI

Get Security Roles for the Application

(EAR)

Bind Role to Users, Groups,

Special Subjects


WebSphere 4.0 AE: "Run As Role" Mapping GUI

Specify ONLY ONE USER for

the Role


Default Security for Resources

Watch out:

WAS 3.5.x WAS 4.0

Security NOT defined for any method in EJB, servlet

EJB: DeniedWeb-Resource: Grant

EJB: GrantWeb-Resource: Grant

Default setting for methods with NO security definition in resources, where at least 1 method has Security defined




Function Responsibity Tool

Security role names used internally within the code Developer VAJ, Editor

Specify Security Roles Application Assembler AAT

Method Permissions, Security Constraints, Authentication Info

Application Assembler AAT

Security Role Binding to Principal

UserGroupSpecial Subjects

Application Installer AAT, Admin Console

Principal mapping for inter-enterprise bean calls (RUN-AS)

Application Installer Admin Console

WebSphere 4.0: Security Responsibilities


Edition Differences: Security

AE - "full" WASsupports everything we've discussed

AEs - single server editionsingle JVM, single node configurationno LTPA, no LDAP, no custom registry, no Trusted Associationsuses web based admin GUI (similar function)

AEd - single server developer editionsame as AEs


WebSphere AE Single Server Architecture

Java Client Application

Web Browser Console

Plug-In

HTTP Server

Application Database

HTTP(S)

HTTP(S)

IIOP

HTTPAdministrative Server

Enterprise Bean

EJB Container

Application Server

server-cfg.xml

Single Server uses xml file for repository

Client Container

Single JVM

Web Browser

Client

Servlet

JSP

Web Container

Embedded HTTP Server

plugin-cfg.xml


WebSphere Advanced Edition Architecture

Java Client Application

Java Admin

Console

Plug-In

HTTP Server

Application Database

Administrative Repository

HTTP(S)

HTTP(S)

IIOP

IIOPAdministrative Server - JVM

Enterprise Bean

EJB Container

Application Server - JVM

Multi Server uses database for repository

XMLConfig

WebSphere Control Program (WSCP)

Servlet

JSP

Web Container

Embedded HTTP Server

Web Browser

Client

plugin-cfg.xml


Advanced Edition Feature Comparison

Feature AEs Single Server Production

AEd Single Server Developer Edition

AE Production

Production certified Yes No Yes

Browser-based administration Yes Yes No

Multi-node administration No No Yes

Database backed administration No No Yes

Distributed security No No Yes

Workload management No No Yes

Clustering / cloning No No Yes

Dynamic caching No No Yes

Directory services No No Yes

Enterprise Extensions integration No No Yes


WAS Advanced Topics

VAJ 4.0 supportCustom registriesSecurity IntegrationDatabasesInstance Based AuthorizationProperty filesSamples, Odds and endsNetwork security


VAJ Support

VAJ 4.0 is the version of VAJ for WAS 4.0, however

at EJB 1.0/WAS 3.5.3 levelcan export EJB 1.1 compliant JARscan export WAS 4.0 CMP mapping infoEJB 1.0 programming APIs

no isXXXInRole()need AAT to specify J2EE info

future VAJ update (later this year) needed for full WAS 4.0 support


Implement the CustomRegistry interface and configure via admin tools.

Some of the methods of CustomRegistry interface:// User-related methodspublic boolean isValidUser(String securityName)public List getUsers()public List getUsers(String pattern)public String getUserDisplayName(String securityName)public String getUniqueUserId(String securityName)

// Group-related methods ... // Similar to user methods

// Authentication methodspublic String checkPassword(String userId, String password)public String mapCertificate(X509Certificate cert)

Custom Registries


Issue: Integration

WAS prefers to do authentication itself. However, it can be told to "trust" other authentication systems: TrustedAssociation

Write custom plug-in Java code that WAS calls when identifying user web request. WAS will trust your code to identify userWAS will still do authorization against registry (LDAP or custom)You are extending your Trust domain. Be careful.Explicit support for PolicyDirector/WebSeal via TrustedAssociations


Policy Director at 100,000 feet

Front-end proxy that authenticates users and creates credentialsFront-end authorization engine that controls access to web URLs (doesn't help with EJBs)Back-end powerful rules engine for complex authorization

DB

Admin

App Server

Web Server

WebBrowser

DB protocol

DB protocol

IIOP/SSLHTTP/SSLHTTP/SSL

LDAPDirectory

LDAP/SSL

PD/WebSEAL

HTTP/SSL

LDAP/SSL

HTTP/SSL


PD and WAS - the net

WAS can trust PD authentication using TrustedAssociationsWAS does not use PD authz API for authorization (yet)

can custom codePD can't authorize access to EJBs

==> Need WAS security even when using PD


Issue: Conflicts between Database and Application Security ModelsWAS knows the user's identity. The DB does not.All DB connections use a connection pool with a common identityOptions:

get over itbuild custom audit functions that audit true user idrely on DB specific and proprietary SQL for changing connection identity. Not going to work with CMP beans.


Issue: Instance based authorization

WAS does class based or type based authorization, not instance basedUse isXXXInRole() to build your own instance access controls. Rely on WAS to do authentication and simple authorization to application


Issue: WAS property files

WAS property files contain sensitive informationWAS masks passwordsprotect the filesystemcan undermine WAS security if people can read or modify this (production issue)


Issue: WAS Default Server

Default Server has great examples, but not suitable for production

snoopshowCfg

Do not install in production. Certainly, do not run in production.


Issue: Odds and Ends

Enable security or anyone can administer WAS domain with WAS admin tools.Do not use "serve servlets by classname." Otherwise, any class on classpath can be executed remotely. Very dangerous.Protect WAS' private key

this means, don't use the DummyKeyRing that ships with WAS


Issue: Network Security

Link from plug-in to WAS can be encrypted (look at plugin-cfg.xml and Web Container Service on app server)DB traffic is not protectedLDAP traffic is clear text by default

DB

Admin

App Server

Web Server

AdminClient

WebBrowser

DB protocol

IIOP/SSL

DB protocol

IIOP/SSL

HTTP/SSLHTTP/SSL

LDAPDirectory

LDAP/SSL


Looking Forward

Further out (all tentative)JAASmore Policy Director integrationKerberos supportbetter security integration with S/390


Final Security Considerations

Think about your security infrastructure. It is often more vulnerable than people think.Leverage your corporate LDAP infrastructure. Do not create islands.Beware extending your trust domain

==> Think hard about security. It is hard.


Using IkeymanConfiguring IBM HTTP to use SSLAdding user to SecureWay LDAPAdding Certificate to web browserBasic AuthenticationJava JNDI accessClients: java, wscp, XMLConfig, etc.

Examples


Certificates via Ikeyman

Many IBM products share common (Java) certificate infrastructureThe tool for manipulating the key databases needed by these products is IKeymanIKeyman

tool for managing key databasestool for requesting & importing certstool for important CA certscreating self-signed certs

Beware: there are multiple versions of Ikeyman shipping with different products. They are not always compatible.


Certificates via IkeymanTo create a key database suitable for use with a product:

Create key databaseKey Database/NewUse a JKS database (.jks) for most new things (new ikeyman)Use a CMS database (.kdb) for the WAS plug-in (old ikeyman)Stash file (holding password) is optional

If needed, import signer certificate (the CA's)Add...

Create personal certificate requestNew...

Import certificateReceive...

For testing, you can also create a self-signed cert


IKeyMan Screenshot


Configure SSL (IBM HTTP)

Add the SSL moduleBasic Settings/Module Sequence, then add module "ibm_ssl"

Enable SSLSecurity/Server Security, then select SSL and provide name of key database you just created with IkeymanSpecify server auth or client and server authSpecify keyfile password if no stash file

Note that this will require updating virtual host alias in WAS to support new port number


Adding Users to SecureWay LDAP

using Directory Management Tool (DMT)Browse treeSelect basedn for userClick addSelect userEnter required information (bold)


LDAP Entries Advice

To create an LDAP entry for userDN should follow organizational policyA UID as part of entry is recommended

using CN is a bad idea as common names are not unique!

A password if supporting basic-auth is required

Create/Add user to appropriate groupOfNames entries


SecureWay LDAP Screenshot


Create private/public key pair and request certificate (many CAs do this in one step)Add private key & certificate to browser (a PKCS12 file)

Security/Certificates/Yours/Import a certificateThis should implicitly load the CA cert as well

Note: not needed if web server cert signed by well known CA and not using client certs

Browser Configuration: New Certificate (Netscape)


Basic Authentication

The "Basic" Authentication protocol is used by web servers to request a userid and password

This information is then passed back and forth with every HTTP request and response

HTTP Request

Prompt for Password

HTTP Request with authorization header

Header verified, HTTP Response


Basic Auth: Authorization Header

The authorization information (user, password) is stored in the "Authorization" headerThe information is base 64 encoded in the form [scheme user:password]Servlets can access this informationClients (Applets or Applications) can write this information


Basic Auth: Getting to the Header (Servlet)

String encodedString = req.getHeader("Authorization");if (encodedString == null) {

System.out.println("no authorization header");return;

}


import com.ibm.ejs.security.util.*;

StringTokenizer stz = new StringTokenizer(encodedString);

// skip "Basic"String schemeType = stz.nextToken();// user:password base64 encodedString userPassEncoded = stz.nextToken();String userPassString = Base64Coder.base64Decode(userPassEncoded);StringTokenizer st = new StringTokenizer(userPassString, ":");if (st.hasMoreTokens())

String user = st.nextToken();if (st.hasMoreTokens())

String password = st.nextToken();

Basic Auth: Decoding Example (servlet)


Basic Auth: Setting the Header (Applet)

import com.ibm.ejs.security.util.*;

public class HeaderEncoder {private static String AUTH_STRING = "Basic "; // note the spaceprivate static String AUTH_NAME = "Authorization";

public static void setAuthorizationHeader(URLConnection conn, String name, String pwd) {

String toEncode = name + ":" + password; String encodedString = Base64Coder.base64Encode(toEncode); String outputString = AUTH_STRING + encodedString; conn.setRequestProperty(AUTH_NAME, outputString);

}}


Basic Authentication Summary

In this section, we've seenHow Basic authentication worksHow to obtain username and password from the Authorization headerHow to set the authorization header


LDAP via JNDIimport javax.naming.*; import javax.naming.directory.*;

//gets all groups the given user (specified by dn) is a member ofDirContext ctx = new InitialDirContext(props);SearchControls control = new SearchControls();control.setSearchScope(SearchControls.SUBTREE_SCOPE);control.setReturningAttributes( {"cn"} ); //a string array//looking for entries w/ matching dn starting as member.String queryString = "(& (member=" + dn + ") (objectclass=groupOfNames))";

NamingEnumeration results = ctx.search(basedn, queryString, control);while (results.hasMore()) {

System.out.print(", ");System.out.print(

((SearchResult) results.nextElement()).getName());}


Client Access

Java Client

Program

Enterprise Java Bean

RMI over IIOP over SSL

WAS Server

admin consolewscpXMLConfigcustom app


Implementing Client Access

WAS supports Java clients directly connecting to EJB'sAuthentication information is carried in the IIOP context

Must be supplied by the client programCan be supplied from properites, through a dialog box, or command line prompting

Also should provide a KeyRing to encrypt the IIOP messages (used by SSL)


Setting up authentication

WAS authenticates Java clients using password based authenticationYou must set up three parts of the client application

The security classes must be on the classpathThe program must specify the needed properties (usually by pointing to a SAS configuration file)


Client Properties File

You can begin by copying the sas.client.props file from /WebSphere/AppServer/propertiescom.ibm.CORBA.loginSource can have three values: prompt, standard-in, and properties.

properties - two properties, loginUserId and loginPassword are used for user auth

Note: you can set these programmaticallyprompt - a popup dialog box at program startup prompts for a userid and password (only useful with GUI app)standard-in - a command line prompt asks for userid and password


com.ibm.CORBA.securityEnabled=truecom.ibm.CORBA.loginSource=promptcom.ibm.CORBA.loginTimeout=300com.ibm.CORBA.loginUserid=com.ibm.CORBA.loginPassword=com.ibm.CORBA.keytabFileName=C:/WebSphere/AppServer40/etc/keytab5com.ibm.CORBA.SSLTypeIClientAssociationEnabled=truecom.ibm.CORBA.SSLTypeIServerAssociationEnabled=truecom.ibm.CORBA.SSLKeyRing=C:/WebSphere/AppServer40/etc/DummyKeyring.jkscom.ibm.CORBA.SSLKeyRingPassword=WebAScom.ibm.CORBA.SSLServerKeyRing=C:/WebSphere/AppServer40/etc/DummyKeyring.jkscom.ibm.CORBA.SSLServerKeyRingPassword=WebAScom.ibm.CORBA.SSLV3SessionTimeout=9600com.ibm.CORBA.standardPerformQOPModels=confidentialitycom.ibm.CORBA.standardClaimQOPModels=integritycom.ibm.CORBA.bootstrapRepositoryLocation=nonecom.ibm.CORBA.authenticationTarget=BasicAuthcom.ibm.CORBA.disableSecurityDuringBootstrap=false

Sample sas.client.props Contents


Client StartupThe WAS admin tools (wscp, XMLConfig, etc) use sas.client.props. You may wish to copy this file and edit it for your needs as just described. If you do, you'll need to edit the startup scripts (.bat or .sh).You can also write new Java clients and run them

java -classpath %WAS_CP%;MyJar.jar;. -Dcom.ibm.CORBA.ConfigURL=file:/E:\MyApp\sas.myapp.props com.ibm.myApp.myApp

Note: you may wish to add '-Dcom.ibm.CORBA.principalName="clientXXX" '. This name will be used in WebSphere tracing and may be useful for debugging.


Security Reminder for SSL

You can use the "dummyKeyRing" that ships with WAS on your clients. However you are exposing the WAS private key to the clients.


Summary

We've outlined all of the core security issuesthere is much more to learn: policy based authorization tools, LDAP configuration, directory management, CA management, etc..there is a white paper authored by Keys Botzum "Enterprise Application Security" that overlaps with this presentation and provides more detail, however it is based on WAS 3.5.


ReferencesSSL

http://developer.netscape.com/docs/manuals/security/sslin/index.htmJ2EE 1.2, EJB 1.1, and Servlet 2.2 specs

http://java.sun.comAcknowledgements

Kyle Brown - coauthor of original presentationWAS Development Personel - answered my questionsWAS Education Group - I borrowed some slides from them

References & Acknowledgements


application security: websphere application … security: websphere application server (was) 4.0...

Documents