building a secure pi web api environment - osisoft · building a secure pi web api ... claims-based...
TRANSCRIPT
![Page 1: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/1.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Presented by
Building a Secure
PI Web API
Environment
Mike Sloves
Ray Verhoeff
![Page 2: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/2.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
User Conference 2017 Themes
2
![Page 3: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/3.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
What do we mean by secure?
• Basic summary of security concepts:
– Minimizing the “Attack Vector”
– Preventing various attacks
• Man in the Middle
• DDoS
• Etc.
– Staying inside your firewall does not make you immune
• What we are doing to help secure PI Web API?
3
![Page 4: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/4.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
What is PI Web API? (briefly…)
• RESTful Service
• Any client platform, language, etc.
• Modern method of supporting any device
• Away from your site using mobile
4
![Page 5: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/5.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Methods of Securing PI Web API
• PI System Security
• Certificates
• Authentication
• Cross-Origin Resource Sharing (CORS)
• Cross-Site Request Forgery (CSRF)
• (Distributed) Denial of Service
• IT Resources
5
![Page 6: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/6.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
What is a Certificate?
An electronic document used to prove the ownership of a
public key
– Information about the key
– Information about its owner’s identity
– Digital Signature of a verifying entity
Does this all check out?
YAY!!!!
6
![Page 7: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/7.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
My Bank…
7
My Bank is Secure!
![Page 8: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/8.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Certificates
• How encryption works
• PI Web API has no HTTP option
– Why we insist on certificates
– “But I’m just doing development!”
• Getting a certificate is not difficult
8
![Page 9: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/9.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
How Certificates are used
• Client and Server negotiate:
– SSL/TLS version
– Ciphersuite
– Compression (if any)
• Client confirms that the Server’s certificate is valid
• Client and Server exchange keys to use for encryption
9
![Page 10: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/10.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
How to Get a Certificate
• Self-signed
• Buy one from a certificate vendor
– Verisign
– Geotrust
– Comodo
– Digicert
– Lots of others…Look it up, we did…
• Letsencrypt.com
– Free certificates! Becoming more popular
• Windows Domain Certificate
10
![Page 11: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/11.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Authentication
• Anonymous
• Basic
• Kerberos
• And introducing…
11
![Page 12: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/12.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
13
Claims-Based Authentication
• Login using an external Identity Provider
– No need to expose corporate AD credentials
Business Network
PI3, WCF
Claims
ID Provider
OpenID Connect
Active
Directory
Business Partner/Cloud/Mobile Network
PI Web API
PI System
![Page 13: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/13.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
14
Claims-Based Authentication
• Login using an external Identity Provider
– No need to expose corporate AD credentials
Business Network
PI Web API
PI3, WCF
PI Server
Claims
ID Provider
OpenID Connect
Active
Directory
Business Partner/Cloud/Mobile Network
![Page 14: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/14.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
How we did it
• OpenID Connect
– An Authentication layer on top of OAuth 2.0
– Controlled by the OpenID Foundation
– RESTful HTTP API using JSON format
– Wide acceptance in the industry
16
![Page 15: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/15.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Response from /.well-known/openid-configuration • {
"authorization_endpoint":"https://login.windows.net/59edc9e0-ed80-436b-b179-554c9b5eff79/oauth2/authorize",
"token_endpoint":"https://login.windows.net/59edc9e0-ed80-436b-b179-554c9b5eff79/oauth2/token",
"token_endpoint_auth_methods_supported":[
"client_secret_post",
"private_key_jwt"
],
"jwks_uri":"https://login.windows.net/common/discovery/keys",
"id_token_signing_alg_values_supported":[
"RS256"
],
"http_logout_supported":true,
"frontchannel_logout_supported":true,
"end_session_endpoint":"https://login.windows.net/59edc9e0-ed80-436b-b179-554c9b5eff79/oauth2/logout",
"response_types_supported":[
"code",
"id_token",
"code id_token",
"token id_token",
"token"
],
"scopes_supported":[
"openid"
],
"issuer":"https://sts.windows.net/59edc9e0-ed80-436b-b179-554c9b5eff79/",
"claims_supported":[
"sub",
"iss",
"cloud_instance_name",
"aud",
"exp",
"iat",
"auth_time",
"acr",
"amr",
"nonce",
"email",
"given_name",
"family_name",
"nickname"
],
}
17
![Page 16: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/16.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Cross-Origin Resource Sharing (CORS)
19
Browser
https://fire.web.net
`
https://rain.web.net/piwebapi
No CORS
GET
HTML
CSS
JavaScript
XMLHttpRequest
![Page 17: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/17.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Cross-Origin Resource Sharing (CORS)
20
Browser
https://fire.web.net
`
https://rain.web.net/piwebapi CorsOrigins: https://fire.web.net
GET
HTML
CSS
JavaScript
XMLHttpRequest
data
![Page 18: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/18.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Cross-Site Request Forgery (CSRF)
• You log into a legitimate website
– Your browser keeps the authentication token
• You are tricked into visiting a bad website
– JavaScript containing evil code downloaded
• JavaScript executes
– Your authentication token is used
– Evil code does damage to your legitimate website!
22
![Page 19: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/19.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
23
https://evil.net
HTML
CSS
JavaScript
Browser
`
https://bank.net
login
token
token
Subject: Read bank.net’s new white paper!
POST bank.net/transfer
CSRF Attack
![Page 20: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/20.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Cross-Site Request Forgery (CSRF)
• Existing applications may need to be updated!
– Good News: GET is fine
– Bad News: POST, PATCH, DELETE need attention
• Add Header:
X-Requested-With: XMLHttpRequest
• Good News (after the Bad)
– Modern browsers do this for you
24
![Page 21: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/21.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Custom Headers
• HTTP defines a long list of request and response headers
• Some instruct browser on which rules to enforce and how
• Example: – Referer: strict-origin
25
![Page 22: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/22.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Custom Headers
• PI Web API 2017 R2 introduces custom headers
• You can create your own custom headers with values
• Your settings override ours
• Don’t use this to disable security settings!
• Example: – Content-Security-Policy: unsafe-eval
26
![Page 23: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/23.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Online Security Audit Tools
• https://observatory.mozilla.org/
• https://securityheaders.io/
27
![Page 24: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/24.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
(Distributed) Denial of Service
• Throughput limits implemented in PI Web API
configuration:
– RateLimitMaxRequests
– RateLimitDuration
– MaxReturnedItemsPerCall
• Set PI Web API to read-only:
– DisableWrites configuration item
28
![Page 25: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/25.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
**YOUR** IT Department (not ours…)
• VPN
• Secure Communications
• Disable Writes
– POST restriction in PI Web API configuration
• Use Load Balancers/Routers/Switches to limit connectivity
29
![Page 26: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/26.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Which method should I use?
31
![Page 27: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/27.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Checklist
• Intranet
Certificate
CORS
CSRF
Authentication Model
Target Platforms
Denial of Service defenses
32
![Page 28: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/28.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Checklist
• Extranet
– Everything in the Intranet Checklist, plus:
– Authenticate: Basic or Claims-Based
• Either way: a local Windows Domain Controller is
needed to support your user community
33
![Page 29: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/29.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Have an idea how
to improve our
products?
OSIsoft wants to
hear from you!
https://feedback.osisoft.com/
![Page 30: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/30.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Thank You
![Page 31: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/31.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
36
Questions
Please wait for the
microphone before asking
your questions
Please remember to…
Complete the Online Survey
for this session
State your
name & company
http://bit.ly/uc2017-app
![Page 32: Building a Secure PI Web API Environment - OSIsoft · Building a Secure PI Web API ... Claims-Based Authentication ... –An Authentication layer on top of OAuth 2.0](https://reader031.vdocuments.site/reader031/viewer/2022031717/5b1556e37f8b9afb0a8bb701/html5/thumbnails/32.jpg)
EMEA USERS CONFERENCE 2017 LONDON #OSISOFTUC ©2017 OSIsoft, LLC
Contact Information
Mike Sloves
Group Leader
OSIsoft, LLC
Ray Verhoeff
Product Manager
OSIsoft, LLC
37