Using WS-I to Build Secure Applications Anthony Nadalin Web Services Interoperability Organization (WS-I) Copyright 2008, WS-I, Inc. All rights reserved

2  Introduction to WS-I  Value proposition, goals and deliverables  What is a profile? Philosophy of a profile  WS-I profiles and technical highlights  Building Secure Applications Agenda

3  An open industry effort  Chartered to advance Web services interoperability across platforms, applications and programming languages  Broad participation  Users, software vendors, consultants, industry organizations, etc.  Establish best practices for achieving interoperability  Based on existing and broadly supported standards  Cooperate with standards development organizations  Consume standards, address industry organization requirements WS-I

4 Achieve Web services interoperability  Provide a visible representation of conformance for a selected set of composable standards Accelerate Web services deployment  Offer implementation guidance and Best Practices  Deliver tools and sample applications  Provide an implementer’s forum where developers can collaborate Encourage Web services adoption  Provide a forum for end users to communicate requirements  Raise awareness of customer business requirements WS-I: Goals

5  Profiles  Defined set of specifications or standards at specific version levels  Guidelines and conventions for using these specifications together in ways that ensure interoperability  Sample applications  Use cases and usage scenarios based on customer requirements  Sample code and applications built in multiple environments  Demonstrate profile-based interoperability  Test tools and supporting materials  Tools that test profile implementations for conformance with the profiles  Supporting documentation and white papers WS-I: Deliverables

6  Final Material  Basic Profile 1.0 and 1.1, Basic Security Profile 1.0, Simple SOAP Binding Profile 1.0 and Attachments Profile 1.0  Sample Application Implementations 1.0  Testing Tools 1.0  Security Challenges, Threats and Countermeasures  Draft Material  Basic Security Profile 1.1  REL and SAML Token Profiles 1.0  Testing Tools for the Basic Security Profile and Attachments Profile WS-I: Delivered to Date

7 What is a Profile?  Named set of Web services  Base specifications are normative  Profiles add constraints and guidance as to their interoperable usage, based upon implementation experience  Organized around base specification

8 Philosophy of a Profile  No guarantee of interoperability  Does not address application semantics  Focus on testable requirements  Makes strong requirements  MUST vs. SHOULD  Never relaxes requirements Chooses among multiple mechanisms Focus on interoperability Conformance on measurable targets  MESSAGE, DESCRIPTION, etc. Addresses issues at application layer

9 Basic Profile 1.0 & 1.1  More than 200 interoperability issues resolved  Reference specifications and standards include:  SOAP 1.1  WSDL 1.1  UDDI 2.0  XML Schema  XML 1.0 (Second Edition)  HTTP 1.1  SSL 3.0  Other supporting referenced specifications and standards

10 Next Steps WS-I has received ISO PAS Submitter status PAS == Publicly Available Specification Basic Profile 1.1, Simple Soap Binding 1.0 and Attachments 1.0 have been submitted to ISO (Aug 2006)

11 Basic Security Profile 1.x Security Challenges, Threats and Countermeasures (SCTC) –Identify security challenges Peer identification and authentication Data origin identification and authentication Data integrity and confidentiality Non-repudiation –Identify threats –Identify countermeasures SSL/TLS, HTTP Basic, Digest and X509 cert auth SOAP Message Security (WS-Security) Usage scenarios defined BSP 1.1 underway Implementations widely available today

12 Developing Web Services Using WS-I Profiles & Materials These next charts provide information you can use to develop/deploy Web services using the WS-I materials

13  Do not use SOAP encoding  Use only rpc- and document-literal styles  Use the SOAP/HTTP binding  Other bindings out of scope, but may be used  However, interoperability issues may be encountered Be sure that your tools use the WS-I WSDL schemas Do not use wsdl:import to import XSD files URI MUST point to a WSDL file (e.g. foo.wsdl) Do not use xs:import to import a schema from a WSDL file URI MUST point to a schema document (e.g. foo.xsd) Developing Web Services Using WS-I Profiles & Materials

14 Adopt WS-I Conformance as an architectural policy for deployed Web services, especially those exposed to the extranet Use your IDE to validate WS-I Profile conformance If it doesn’t provide this, use the WS-I tools Set your IDE’s WS-I conformance preferences If there is no preference option for this, ask why not! Use WS-I Usage Scenarios to design your interactions Use the WS-I Sample Applications as templates for your services Developing Web Services Using WS-I Profiles & Materials

15  Web service instance and artifacts only  Not conformance of runtimes or development tools  Conformance is based on profile specification  Must be capable of passing WS-I Testing Tools  Best indicator of conformance with profile(s)  Tools do not cover all requirements  Self-certification process  Claimant tests instance and artifacts  Others can run test tools to verify claim  Resolve conformance bugs through usual update process Conformance

16  One-way messaging  Fire and forget  No SOAP response  Synchronous message exchange  Blocking Web services invocation  SOAP request/response  Basic callback  Asynchronous call  Pair of SOAP requests/responses  Application-level message correlation Leverage WS-I Usage Scenarios

Business Processes Quality of Service Description Messaging Business Process Execution Language For Web Services (BPEL4WS) SecurityReliabilityManagementTransactions Web Services Description Language (WSDL) Simple Object Access Protocol (SOAP) Extensible Markup Language (XML) Other Protocols Other Services Web Services – a Simple View 17

18 Description and Discovery WS-Policy WS-Reliable Messaging UDDI Messaging and Encoding Transport Business Processes Other protocols Other services Business Process Execution Language WSDL SOAP, SOAP Attachments XML, XML Infoset Transports WS-Coordination WS-Transactions WS-Security Quality of Service WS-Security Policy WS-Secure Conversation X.509 profile Kerberos profile REL profile Username profile Mobile profile SAML profile OASIS 1.0 WS-Security (framework) WS-Trust Web Services and SOA Security OASIS Secure eXchange TC SAML Liberty

19 BSP Working Group Chartered in March, 2003 Three initial deliverables –Basic Security Profile 1.0, Final Material March 30, 2007 –Basic Security Profile 1.1, Working Group Approval Draft February 2007 –Security Scenarios Based on Basic Profile 1.0 and the following technologies: –HTTP over TLS –SOAP with Attachments –WS Security and x.509, Username and Kerberos tokens