1. © Copyright IONA Technologies 2002 Colby Dyess Senior Engineer, XMLBus Hacks, cracks and 13 year olds! Avoiding Web Services Security Nightmares Preparing Your Enterprise for Web Services (Part I)

2. © Copyright IONA Technologies 2002 History Founded in Ireland in 1991; IPO on Nasdaq in 1997 Global company with headquarters in Dublin, Ireland and Waltham, MA Financial Performance Calendar year 2001 statistics –Revenues $181 million (65% license / 35% services) –Positive operating margins Team Over 900 employees in over 30 offices worldwide with a sales force of over 300 Strong blue chip customer and partner base IONA is a leading provider of comprehensive, standards-based enterprise infrastructure solutions for customers to build, deploy and integrate mission-critical applications that power core business processes The IONA Story

3. © Copyright IONA Technologies 2002 Integration: The “Killer App” for Web Services Set of industry standards for distributed computing Service-oriented architectures enable End to Anywhere™ integration E2A changes the economics of integration Web services is the driving technology – Simple – Effective – Unanimous industry support

4. © Copyright IONA Technologies 2002 Today’s Audience Familiar with SOAP, HTTP, SSL, WSDL and XML Limited exposure to security standards Need web service security in the near future (perhaps today!)

5. © Copyright IONA Technologies 2002 What Will be Discussed Security concerns Three layers of security Example uses of security layers

6. © Copyright IONA Technologies 2002 Security Concerns Control access to services and data Credential validation Private communication Ensuring message integrity

7. © Copyright IONA Technologies 2002 Security Layers –Protocol –Message –Application

8. © Copyright IONA Technologies 2002 Security – Protocol Layer –Basic Authentication –Digest Authentication –SSL (HTTPS) –Mutual Authentication

9. © Copyright IONA Technologies 2002 Security – Message layer –XML-Encryption –XML-Signature –WS-Security

10. © Copyright IONA Technologies 2002 Security – Application layer –App server/container –Security Assertions Markup Language-SAML –Proprietary

11. © Copyright IONA Technologies 2002 Meeting Security Needs Controlling access to services and data –Basic and Digest Authentication –SAML for Authorization Credential validation –SAML for Authentication –XML-Signature –Mutual Authentication

12. © Copyright IONA Technologies 2002 Meeting Security Needs Private communication –SSL (HTTPS) –XML-Encryption Ensuring message integrity –SSL (HTTPS) –XML-Signature

13. © Copyright IONA Technologies 2002 Basic Example SOAP Body Web Services Server Web Services Client Data Service Data HTTP

14. © Copyright IONA Technologies 2002 Entry-level Security SOAP Body Web Services Server Web Services Client Data Service Data HTTPS (SSL) Credentials HTTP Header Credentials Security System Security Assertions

15. © Copyright IONA Technologies 2002 Mid-level Security SOAP Body Web Services Server Web Services Client Data Service Data HTTPS (SSL) Credentials HTTP Header Credentials Auth. Platform Security Assertions Certificate Signed data Certificate

16. © Copyright IONA Technologies 2002 Higher-level Security SOAP Body Web Services Server Web Services Client Data Service Data HTTPS (SSL) Credentials HTTP Header Credentials Auth. Platform Security Assertions Certificate Signed Encrypted data Certificate Encrypt Decrypt

17. © Copyright IONA Technologies 2002 Conclusions Security needs may vary There are many security levels Combine “security” for improved strength Can be adopted today!

18. © Copyright IONA Technologies 2002 18 Integration broker platform Connects existing applications and services Allows creation of automated business process flows across extended enterprise using Web Services and XML standards Application server platform for developing, deploying and managing business application logic Hosted in J2EE, CORBA or mainframe environments using Web services standards It Takes A Platform

19. © Copyright IONA Technologies 2002 Orbix E2A ™ “Best Web Services Product” Simplifies EAI, B2Bi, and BPM

20. © Copyright IONA Technologies 2002 Web Services Integration Now! XMLBus.comVisit XMLBus.com and download Orbix E2A™ XMLBus Edition. Sign up for IONA training on Web services XMLBus.comDownload IONA’s Web services white paper at XMLBus.com Check out Orbix E2A™, the first e- Business Platform for Web Services Integration.

21. © Copyright IONA Technologies 2002 Upcoming Webcasts Don’t forget IONA World October 27 - 30th, San Diego, CA PART 3: B2B Collaboration: Expanding Web Services Architectures Tuesday, May 28 PART 2: Web Service Composition: Unlocking Your Interface Potential Thursday, May 23th

22. © Copyright IONA Technologies 2002 Questions?

23. © Copyright IONA Technologies 2002 Resources Open Standards –XML-Signature http://www.w3.org/Signature/http://www.w3.org/Signature/ –XML-Encryption http://www.w3.org/Encryption/2001/http://www.w3.org/Encryption/2001/ –W3C SOAP WG http://www.w3.org/2000/xp/Group/http://www.w3.org/2000/xp/Group/ –HTTP Auth http://www.ietf.org/rfc/rfc2617.txthttp://www.ietf.org/rfc/rfc2617.txt IONA –Web Service Integration Platform - XMLBus Edition http://www.xmlbus.comhttp://www.xmlbus.com –Enterprise Security in Web Services (white paper) http://www.xmlbus.com/learn/Web-Services-Security.pdfhttp://www.xmlbus.com/learn/Web-Services-Security.pdf –IONA Web service white papers http://www.iona.com/forms/wprequest.htmhttp://www.iona.com/forms/wprequest.htm –IONA XMLBus Edition newsgroup news://inews.iona.com/iona.products.orbixE2A.xmlbusnews://inews.iona.com/iona.products.orbixE2A.xmlbus

24. © Copyright IONA Technologies 2002 Additional Resources Microsoft –XML Web Service site http://msdn.microsoft.com/library/default.asp?url=/nhp/default.asp?contentid=28000442 http://msdn.microsoft.com/library/default.asp?url=/nhp/default.asp?contentid=28000442 –Security in a Web Services World: A Proposed Architecture and Roadmap http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp IBM –XML Security Suite http://www.alphaworks.ibm.com/tech/xmlsecuritysuite