Welcome!

Microservices Expo Authors: Liz McMillan, Pat Romanski, Elizabeth White, Stackify Blog, Andreas Grabner

Related Topics: Microservices Expo

Microservices Expo: Article

Quadrasis/Xtradyne Soap Content Inspector

Quadrasis/Xtradyne Soap Content Inspector

They carefully planned for days for the worst possible attack. Once their presence was detected, the enemy's agents, who were stealthy and highly intelligent, would surely be drawn to their defensive walls. It would only be a matter of time before the ongoing and relentless probing would begin, eventually finding some unknown and unforeseen weakness in its design. Once compromised, the walls would surely be breached and the eventual plundering and destruction would spell doom for the innocent inhabitants within. Instinctively they knew not to underestimate the dark and ever-present forces residing in the ether...

This may sound like a scene from the latest Lord of the Rings movie. Actually, it depicts an everyday event for Internet service providers - bringing new servers online. In many cases, it only takes a few minutes for the firewall probing to start when a new Web server is indoctrinated to the Internet.

This is the world that global Web services must exist in, and it does not paint a pretty picture. Luckily, standards are emerging to address the numerous issues regarding Web service security (WS-Security, SAML) and new products to implement them. Quadrasis SOAP Content Inspector is one such product to tackle the tough Web service security issues of today.

Overview
The Quadrasis/Xtradyne SOAP Content Inspector (SCI) provides a flexible and comprehensive set of solutions for protecting Web service resources both inside and outside the corporate firewall. It comprises three main components which, depending on installation, can reside on a single server or on separate boxes. The SCI Policy Server manages the various security policies and basically makes all decisions regarding access to resources. The SCI Proxy Server intercepts SOAP requests and, depending on decisions made by the Policy Server, passes the request to the protected Web service or denies access to the service. The final component, the SCI Administration Console, allows you to maintain user names and user groups exercise role-based access control to Web service resources, configure message encryption techniques, and set up event monitoring (see Figure 1).

 

Regarding user stores, you can either use a built-in database for user information or configure SCI to retrieve user information from a directory server (using LDAP). SCI is compatible with several of the leading directory service products including Netscape (iPlanet).

If your security design involves processing SAML assertions with attribute data (i.e., from an LDAP server), you'll need to install an additional product from Quadrasis. I'll have more on that later.

4A Functionality
The functionality provided by Soap Content Inspector can be summarized in four basic functional categories - authentication, authorization, auditing, and administration. Authentication limits access to only those clients that can be certified by several mechanisms including SSL Client certificate, basic HTTP authentication, SAML assertions, or anonymous public access. Basically, you better be who you claim to be or you cannot use the Web service resource.

Authorization will restrict access to an authenticated SOAP client to only the Web service resources spelled out by the policy information stored on the Policy Server. The SCI policy can authorize access down to the SOAP RPC method level and manages access control lists for user and user groups levels.

For SCI auditing capabilities, Soap Content Inspector can log a number of events, including connection establishment, authentication, and authorization results. You have the option of logging to a flat file or to the Windows 2000 event log service.

The last of the 4A feature list, administration, represents the GUI-based SCI Admin Console provided with Soap Content Inspector. The console has two views, professional and expert. The professional view is where you would spend most of your time when setting up your policies and other configuration settings. It sets things up logically according to functionality. The expert view, on the other hand, is essentially one large hierarchically arranged property sheet for the system. You go there only if you need to tweak something that is not normally handled by the professional view. I found the Admin Console fairly straightforward and easy to use. Soap Content Inspector keeps security arrangements at a single policy level and does not include higher levels of abstraction, such as domains and realms, as found in other security policy services. This tends to make configuring and administrating security policies easier to set up.

One last set of features, not really part of the 4A feature list, involves message integrity and validation. Soap Content Inspector is able to detect ill-formed messages by validating the XML inside the SOAP message. It also has the capability of digitally signing the SOAP header and message blocks as a whole, making modification impossible without detection.

Architecture
One of the more interesting features of the SOAP Content Inspector is its flexibility in handling SAML (Security Assertion Markup Language) assertions, one of the emerging standards in Web services today. An assertion essentially provides a mechanism for security information to be passed around from one party to another. A SOAP message containing a SAML assertion (or contained in the Soap header) can provide authentication and authorization information that has been populated ahead of time by some authentication service. The assertion thereby contains proof of the message's authenticity as well as information regarding which Web service resources are authorized for access.

SCI can be set up as a proxy for the Web service, authenticate the client (user) of the message, create and append a SAML assertion to the message, and forward the message to the real Web service application. With the SAML assertion firmly attached to the SOAP message (or Soap header), it can be forwarded to other nested Web services providing a single sign-on mechanism.

In another mode of operation called a Federated Trust, SOAP Content Inspector can be configured on both the client and service sides of the Web service, acting in a sense as a dual proxy (see Figure 2). The client will forward the SOAP message to the client-side proxy, provide the necessary authentication, and attach a SAML assertion to the message. The message is then delivered to the server-side proxy, where the SAML Assertion is processed. If authorized to use the Web service, the validated SAML assertion is retained in the SOAP message and the request is forwarded to the true Web application. The assertion processing occurs under the covers and provides a transparent and secure means for SOAP messages to be delivered over the Internet.

 

Another strength of the SOAP Content Inspector is in its ability to inject attribute information (user e-mail addresses, business addresses, etc.) into SAML assertions. It is currently the only product on the market with this level of functionality. In order for SOAP Content Inspector to do this, you must install and configure EASI Security Unifier, which requires a separate product installation (and licensing) from Quadrasis. With attributes embedded in the SAML assertion, a Web service will not only be guaranteed that the client is authenticated and authorized to use the service, but will have relevant and current user information available for processing. This saves the Web service from having to make separate trips to an LDAP server and from requiring separate LDAP connect, bind, and search configuration settings.

Installation
As of this writing, Soap Content Inspector is only available for installation on Windows 2000, so you better put on your Microsoft administrator's hat. To start off, prior to installation you'll need to download and install the Java 1.3 Runtime Environment (or greater) and several security-related libraries (JSSE, JCE). Check the installation (startup) guide for details. Although Java 1.4 comes bundled with the security class libraries, you still need to separately download and install each security package until version 1.4 is certified by Quadrasis.

Documentation
Soap Content Inspector comes with several well-written guides to help you configure and secure your Web services. I found the Administrator's Guide to be extremely useful, taking you step-by-step through setting up the system and establishing a base set of policies.

Conclusion
Installing and configuring secure Web services is straightforward using Quadrasis Soap Content Inspector. Its policy management is somewhat less complex to configure compared to other security management products, and can essentially run straight out of the box allowing you to get acquainted with security policies first instead of configuring external systems such as database and directory services.

Company Info
Quadrasis, the security division of Hitachi Computer Products (America), Inc.
Software Solutions Division
1601 Trapelo Road
Reservoir Place, 3rd Floor
Waltham, MA 02451
Phone: (781) 890-0444
Facsimile: (781) 890-4998
Web: www.quadrasis.com
E-mail: [email protected]

Evaluation Download
www.quadrasis.com/prod_download/register.asp

Licensing Information
Licensing is on a CPU basis with up to 50 simultaneous connections.
http://www.quadrasis.com/prod_download/register.asp

Testing Environment
OS: Windows-2000 Professional
Hardware: IBM ThinkPad T30

More Stories By Joe Mitchko

Joe Mitchko is the editor-in-chief of WLDJ and a senior technical specialist for a leading consulting services company.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Microservices Articles
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, answered these questions and demonstrated techniques for implementing advanced scheduling. For example, using spot instances and co...
Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, discussed why containers should be paired with new architectural practices such as microservices rathe...
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, will discuss how to use Kubernetes to setup a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace....
SYS-CON Events announced today the Kubernetes and Google Container Engine Workshop, being held November 3, 2016, in conjunction with @DevOpsSummit at 19th Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA. This workshop led by Sebastian Scheele introduces participants to Kubernetes and Google Container Engine (GKE). Through a combination of instructor-led presentations, demonstrations, and hands-on labs, students learn the key concepts and practices for deploying and maintainin...
Docker is sweeping across startups and enterprises alike, changing the way we build and ship applications. It's the most prominent and widely known software container platform, and it's particularly useful for eliminating common challenges when collaborating on code (like the "it works on my machine" phenomenon that most devs know all too well). With Docker, you can run and manage apps side-by-side - in isolated containers - resulting in better compute density. It's something that many developer...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
As software becomes more and more complex, we, as software developers, have been splitting up our code into smaller and smaller components. This is also true for the environment in which we run our code: going from bare metal, to VMs to the modern-day Cloud Native world of containers, schedulers and micro services. While we have figured out how to run containerized applications in the cloud using schedulers, we've yet to come up with a good solution to bridge the gap between getting your contain...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
DevOps is speeding towards the IT world like a freight train and the hype around it is deafening. There is no reason to be afraid of this change as it is the natural reaction to the agile movement that revolutionized development just a few years ago. By definition, DevOps is the natural alignment of IT performance to business profitability. The relevance of this has yet to be quantified but it has been suggested that the route to the CEO’s chair will come from the IT leaders that successfully ma...
Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, will discuss why containers should be paired with new architectural practices such as microservices ra...