Web Services Reliable Messaging and Security Paul Fremantle VP of Technology WSO2
© WSO2, Inc, 2006 About me Co-founder and VP of Technology and Partnerships at WSO2 The leading Open Source Web services company Co-Chair of the OASIS WSRX Technical Committee Committer on Apache Synapse Member of the Apache Software Foundation Co-author of Building Web Services in Java 2 nd EditionBuilding Web Services in Java 2 nd Edition Ex IBM Senior Technical Staff Member developed the IBM Web Services Gateway Apache WSIF Apache Axis C/C++ JWSDL/WSDL4J – now Apache Woden
© WSO2, Inc, 2006 Contents Introduction to WS-Reliable Messaging Composing WSRM and Security Potential attacks on a reliable exchange Securing the Sequence Summary
© WSO2, Inc, 2006 WSRM Aims To help ensure that messages are delivered to their destination Exactly Once In Order is the most common requirement “Composable” with other specifications and existing systems Doesn’t re-implement those aspects Has the ability to work with other standards (security, transactions, addressing)
© WSO2, Inc, 2006 History A specification designed by IBM, Microsoft, BEA and Tibco Designed to compose with WS- Addressing, WS-Policy Originally published in March 2003 Refreshed March 2004, Feb 2005 Submitted to OASIS June 2005
© WSO2, Inc, 2006 This presentation Mainly based on the public review (CD4) of WSRM 1.1 (OASIS) With appropriate comments on the Submission spec (WSRM 1.0)
© WSO2, Inc, 2006 WS-Reliability An alternative specification proposed by Fujitsu, Hitachi, NEC, Oracle, Sun Submitted to OASIS and standardized, currently at v1.1 One available implementation: RM4GS Reliable Messaging for Grid Service A sample/reference implementation
© WSO2, Inc, 2006 Confusion WS-R WSRM OASIS WSRM committee WS-RX committee
© WSO2, Inc, 2006 WS-RX TC members include representatives of: Actional Corporation Adobe Systems BEA Systems, Inc. BTplc Choreology Ltd. Ericsson Fujitsu Limited Hitachi, Ltd. IBM IONA Technologies JBoss Inc. Microsoft Corporation NEC Corporation Nortel Networks Limited Novell Oracle Corporation SAP AG Sonic Software Corp. Sonoa Systems, Inc. Sun Microsystems Tibco Software Inc. webMethods, Inc. WSO2 While the TC is working from the submitted spec, it aims to meet the requirements of all the TC members within the scope of the charter
Introduction to WSRM
© WSO2, Inc, 2006 The core model CreateSequence and CreateSequenceResponse Messages allocated to the sequence Acknowledgement Resend of unacknowledged messages TerminateSequence and TerminateSequenceResponse
© WSO2, Inc, 2006 Simple example
© WSO2, Inc, 2006 WS-RM core model
© WSO2, Inc, 2006 Delivery Assurances Previous spec (1.0) explicitly called out the delivery assurances: At least once At most once Exactly once (at least+at most) InOrder 1.1 allows the RMD to specify IncompleteSequenceBehaviour DiscardEntireSequence DiscardFollowingFirstGap NoDiscard
© WSO2, Inc, 2006 Verbs SOAP Body: CreateSequence/CreateSequenceResponse CloseSequence*/CloseSequenceResponse* TerminateSequence/TerminateSequenceResponse* SOAP Header: Sequence AckRequested SequenceAcknowledgement * Indicates added since submitted to OASIS
© WSO2, Inc, 2006 CreateSequence wsa:EndpointReferenceType xs:duration ? xs:anyURI xs:duration ?... ?...
© WSO2, Inc, 2006 CreateSequenceResponse xs:anyURI xs:duration ? ? wsa:EndpointReferenceType ?...
© WSO2, Inc, 2006 CreateSequence/Response Sent in the body AcksTo specifies the place where acknowledgements are sent Expires is optional Offer is an optional way of initiating a Sequence in the reverse direction Can respond with CreateSequenceRefused fault
© WSO2, Inc, 2006 CloseSequence xs:anyURI... Sent from the RMS to the RMD Added to help close down incomplete sequences After a sequence is closed, no new messages are received But still responds to AckRequested Allowing the final state of the sequence to be ascertained
© WSO2, Inc, 2006 TerminateSequence xs:anyURI... Sent from the RMS to the RMD - indicates that the sequence will no longer be used Normally sent when the sequence is complete – all sent messages have been acknowledged Can be sent at any time
© WSO2, Inc, 2006 TerminateSequenceResponse This was added by the TC to allow the RMS to know that the RMD successfully terminated the sequence xs:anyURI...
© WSO2, Inc, 2006 Sequence Header The primary header – added to every message that is in a Sequence Adds the sequence identifier and the message number xs:anyURI wsrm:MessageNumberType...
© WSO2, Inc, 2006 AckRequested xs:anyURI... Allows a RMS to request an acknowledgement from the RMD RMD must reply at once Must be a full acknowledgement (no Partial Answer Mode)
© WSO2, Inc, 2006 SequenceAcknowledgement xs:anyURI [ [ [ <wsrm:AcknowledgementRange... Upper="wsrm:MessageNumberType" Lower="wsrm:MessageNumberType"/> + | ] ? ] | wsrm:MessageNumberType + ]... A complete set of ranges May be Final – indicating no more messages will be accepted Or None (may be Final) Or Nacks of individual messages
© WSO2, Inc, 2006 “Optimistic” model Because the whole Sequence is acknowledged, it is possible to use WSRM with very little overhead over a sequence of messages CreateSequence Messages flow with Sequence headers, plus occasional acknowledgements TerminateSequence
© WSO2, Inc, 2006 Offer and Accept Offered sequence is a way of cutting down the “back-and-forth” There is no specific requirement that the Offered sequence is used for responses But usual behaviour
© WSO2, Inc, 2006 WSRM Policy The submitted spec had a number of parameters available in policy. AcknowledgementInterval was moved to CS Dynamic optimization of protocol timing is more effective than static parameters.
© WSO2, Inc, 2006 A two-way reliable interaction ClientServer CreateSequence + Offer CreateSequenceResponse(A) + Accept(B) Request 1 Response 1 + ackA1 Request 2 + ackB1 Request 3 + AckB1 Response 3 + ackA123 Response 2 ackB123 TerminateSequence(A) TerminateSequenceResponse + AckA123_Final TerminateSequence(B) TerminateSequenceResponse + AckB123_Final
© WSO2, Inc, 2006 Anonymous clients The protocol supports one-way reliability with anonymous clients May be reliable-in/unreliable-out acksTo will be anonymous Uses piggybacked acks
© WSO2, Inc, 2006 Anonymous clients and two-way The WSRM1.1 specification has added a new verb to support this: MakeConnection client CS+Offer(seq2) server CSR(seq1)+Accept msg1(seq1) response1(seq2) +ack(seq1) msg2(seq1) + ack(seq2) msg3(seq1) + ack(seq2) response3(seq2) + ack(seq1) MakeConnection(seq2) response2(seq2)
© WSO2, Inc, 2006 Uptake Still gated by lack of a “standard” Industry has definitely moved to WSRM spec Examples: Canadian government project built a solution on WSRM spec A major Wall Street bank is looking at widespread adoption of WSRM Ford and Daimler Chrysler are planning major implementations Other groups such as RAMP, FIXprotocol, will profile RM
© WSO2, Inc, 2006 Composability with Security WSRM is inherently designed to compose with security systems SSL/TLS WS-Security WS-SecureConversation
© WSO2, Inc, 2006 Basic Composability WS-Security WS-ReliableMessaging WS-AtomicTransactions Transactional Secure Transactional Secure Reliable Transactional Secure Reliable
© WSO2, Inc, 2006 Composability works! Numerous demonstrations of WSRM + WSSecurity WSRM and WSSecureConversation WSO2’s Web Service App Server fully supports these combinations
© WSO2, Inc, 2006 Composability isn’t enough Unfortunately, there is a problem Composability ensures that the application can be secured But doesn’t secure the sequence
© WSO2, Inc, 2006 Why isn’t SSL or WSSec enough? Party 1 Authorized RM enabled system RM Sequence Party 2 Authorized Attack on Sequence
© WSO2, Inc, 2006 Sequence attacks are real Probably the most famous hack ever was a sequence attack TCP Sequence Prediction Based on predicting the correct sequence number for a packet and getting your packets in first First identified by Robert Morris in 1985 but thought impractical and unlikely Actually implemented by Kevin Mitnick against Tsutomu Shimomura on Christmas Day 1994
© WSO2, Inc, 2006 So what can we learn from this? 1. Don’t login on Christmas Day 2. Protect your sequence
© WSO2, Inc, 2006 Integrity Threats Any modification to any of the RM protocol messages Countermeasures Signing the headers To prevent headers being swapped, Sequence headers should be signed with the body
© WSO2, Inc, 2006 Denial of Service Threat Many unused CreateSequences Target an in-order sequence with missing messages Countermeasures Restrict sequence creation to authorized parties Monitor sequences for DoS attacks Similar to secure TCP stacks
© WSO2, Inc, 2006 Sequence Spoofing Threats Hijacking Injecting fake or wrong messages into a sequence Incorrectly acknowledging messages Countermeasures Tie the Sequence to a security context Each side associates the sequence with security credentials used during creation Only accepts Sequence Traffic from the same entity
© WSO2, Inc, 2006 SSL/TLS example RMSRMD Create SSL/TLS session(s) Send CreateSequence over TLS session Sequence Traffic / TLS Sequence Traffic / different TLS Sequence Ack / TLS Sequence Ack / different TLS CreateSequenceResponse over TLS
© WSO2, Inc, 2006 Ensuring that the Sequence is secure Add this header block The mustUnderstand ensures that the RMD “agrees” to the contract Otherwise it should fault
© WSO2, Inc, 2006 Restrictions SSL / TLS is only point-to-point Any intermediaries must be trusted to maintain integrity The sequence must last no longer than the SSL/TLS session
© WSO2, Inc, 2006 WS-Security Provides SOAP message security Authentication Encryption Message and header digital signatures Message level security
© WSO2, Inc, 2006 SecureConversation An extension to WS-Security that allows a secure context to be established between two parties Potentially used together with WS- Trust
© WSO2, Inc, 2006 Secure Conversation
© WSO2, Inc, 2006 Benefits over just WS-Security In WS-Security, a public key is used for every message Highly inefficient
© WSO2, Inc, 2006 WS-SecureConversation in RM …...
© WSO2, Inc, 2006 SecureConversation example RMSRMD Create WSSC secure context Send CreateSequence including STReference Sequence Traffic, signed headers and body Sequence Traffic / different SecurityContext Sequence Ack including STReference Sequence Ack / different context CreateSequenceResponse
© WSO2, Inc, 2006 Ensuring that this model is in place This forces the RMD to ensure that the sequence is secured using the supplied STR
© WSO2, Inc, 2006 WS-I RSP Reliable Secure Profile Proposed by IBM, Ford, DaimlerChrysler Aiming at creating a supplier network based on secure reliable SOAP WSRM 1.1 WS-SecureConversation 1.3
© WSO2, Inc, 2006 RX TC Status and Roadmap 60-day Public Review completed Aiming to have dealt with all comments by the end of year Aiming for a standard Q1 2007
© WSO2, Inc, 2006 Implementations Microsoft Windows Comm Framework WCF aka Indigo Supports the submitted spec IBM WebSphere 6.1 “IBM intends to make a fully supported Web Services Reliable Messaging solution available for WebSphere Application Server V6.1 early in 2007” Apache Sandesha 1.0 Supports the submitted spec and CD3 of WSRM 1.1 WSO2 Tungsten Supported package of Apache Axis2, WSS4J, Sandesha2 Plus implementations from: Systinet, Oracle, SAP, Sun, BEA
© WSO2, Inc, 2006 OASIS March Interop results IBM, MSFT, WSO2, SAP, Oracle RMS\ RMD P1P2P3P4P5 P P P P P
© WSO2, Inc, 2006 Resources WSRX TC Homepage Submitted specification Cover pages Reliable Messaging Apache Sandesha