Welcome!

Microservices Expo Authors: Liz McMillan, Zakia Bouachraoui, Elizabeth White, Pat Romanski, Yeshim Deniz

Related Topics: Microservices Expo

Microservices Expo: Article

Quadrasis/Xtradyne Soap Content Inspector

Quadrasis/Xtradyne Soap Content Inspector

They carefully planned for days for the worst possible attack. Once their presence was detected, the enemy's agents, who were stealthy and highly intelligent, would surely be drawn to their defensive walls. It would only be a matter of time before the ongoing and relentless probing would begin, eventually finding some unknown and unforeseen weakness in its design. Once compromised, the walls would surely be breached and the eventual plundering and destruction would spell doom for the innocent inhabitants within. Instinctively they knew not to underestimate the dark and ever-present forces residing in the ether...

This may sound like a scene from the latest Lord of the Rings movie. Actually, it depicts an everyday event for Internet service providers - bringing new servers online. In many cases, it only takes a few minutes for the firewall probing to start when a new Web server is indoctrinated to the Internet.

This is the world that global Web services must exist in, and it does not paint a pretty picture. Luckily, standards are emerging to address the numerous issues regarding Web service security (WS-Security, SAML) and new products to implement them. Quadrasis SOAP Content Inspector is one such product to tackle the tough Web service security issues of today.

Overview
The Quadrasis/Xtradyne SOAP Content Inspector (SCI) provides a flexible and comprehensive set of solutions for protecting Web service resources both inside and outside the corporate firewall. It comprises three main components which, depending on installation, can reside on a single server or on separate boxes. The SCI Policy Server manages the various security policies and basically makes all decisions regarding access to resources. The SCI Proxy Server intercepts SOAP requests and, depending on decisions made by the Policy Server, passes the request to the protected Web service or denies access to the service. The final component, the SCI Administration Console, allows you to maintain user names and user groups exercise role-based access control to Web service resources, configure message encryption techniques, and set up event monitoring (see Figure 1).

 

Regarding user stores, you can either use a built-in database for user information or configure SCI to retrieve user information from a directory server (using LDAP). SCI is compatible with several of the leading directory service products including Netscape (iPlanet).

If your security design involves processing SAML assertions with attribute data (i.e., from an LDAP server), you'll need to install an additional product from Quadrasis. I'll have more on that later.

4A Functionality
The functionality provided by Soap Content Inspector can be summarized in four basic functional categories - authentication, authorization, auditing, and administration. Authentication limits access to only those clients that can be certified by several mechanisms including SSL Client certificate, basic HTTP authentication, SAML assertions, or anonymous public access. Basically, you better be who you claim to be or you cannot use the Web service resource.

Authorization will restrict access to an authenticated SOAP client to only the Web service resources spelled out by the policy information stored on the Policy Server. The SCI policy can authorize access down to the SOAP RPC method level and manages access control lists for user and user groups levels.

For SCI auditing capabilities, Soap Content Inspector can log a number of events, including connection establishment, authentication, and authorization results. You have the option of logging to a flat file or to the Windows 2000 event log service.

The last of the 4A feature list, administration, represents the GUI-based SCI Admin Console provided with Soap Content Inspector. The console has two views, professional and expert. The professional view is where you would spend most of your time when setting up your policies and other configuration settings. It sets things up logically according to functionality. The expert view, on the other hand, is essentially one large hierarchically arranged property sheet for the system. You go there only if you need to tweak something that is not normally handled by the professional view. I found the Admin Console fairly straightforward and easy to use. Soap Content Inspector keeps security arrangements at a single policy level and does not include higher levels of abstraction, such as domains and realms, as found in other security policy services. This tends to make configuring and administrating security policies easier to set up.

One last set of features, not really part of the 4A feature list, involves message integrity and validation. Soap Content Inspector is able to detect ill-formed messages by validating the XML inside the SOAP message. It also has the capability of digitally signing the SOAP header and message blocks as a whole, making modification impossible without detection.

Architecture
One of the more interesting features of the SOAP Content Inspector is its flexibility in handling SAML (Security Assertion Markup Language) assertions, one of the emerging standards in Web services today. An assertion essentially provides a mechanism for security information to be passed around from one party to another. A SOAP message containing a SAML assertion (or contained in the Soap header) can provide authentication and authorization information that has been populated ahead of time by some authentication service. The assertion thereby contains proof of the message's authenticity as well as information regarding which Web service resources are authorized for access.

SCI can be set up as a proxy for the Web service, authenticate the client (user) of the message, create and append a SAML assertion to the message, and forward the message to the real Web service application. With the SAML assertion firmly attached to the SOAP message (or Soap header), it can be forwarded to other nested Web services providing a single sign-on mechanism.

In another mode of operation called a Federated Trust, SOAP Content Inspector can be configured on both the client and service sides of the Web service, acting in a sense as a dual proxy (see Figure 2). The client will forward the SOAP message to the client-side proxy, provide the necessary authentication, and attach a SAML assertion to the message. The message is then delivered to the server-side proxy, where the SAML Assertion is processed. If authorized to use the Web service, the validated SAML assertion is retained in the SOAP message and the request is forwarded to the true Web application. The assertion processing occurs under the covers and provides a transparent and secure means for SOAP messages to be delivered over the Internet.

 

Another strength of the SOAP Content Inspector is in its ability to inject attribute information (user e-mail addresses, business addresses, etc.) into SAML assertions. It is currently the only product on the market with this level of functionality. In order for SOAP Content Inspector to do this, you must install and configure EASI Security Unifier, which requires a separate product installation (and licensing) from Quadrasis. With attributes embedded in the SAML assertion, a Web service will not only be guaranteed that the client is authenticated and authorized to use the service, but will have relevant and current user information available for processing. This saves the Web service from having to make separate trips to an LDAP server and from requiring separate LDAP connect, bind, and search configuration settings.

Installation
As of this writing, Soap Content Inspector is only available for installation on Windows 2000, so you better put on your Microsoft administrator's hat. To start off, prior to installation you'll need to download and install the Java 1.3 Runtime Environment (or greater) and several security-related libraries (JSSE, JCE). Check the installation (startup) guide for details. Although Java 1.4 comes bundled with the security class libraries, you still need to separately download and install each security package until version 1.4 is certified by Quadrasis.

Documentation
Soap Content Inspector comes with several well-written guides to help you configure and secure your Web services. I found the Administrator's Guide to be extremely useful, taking you step-by-step through setting up the system and establishing a base set of policies.

Conclusion
Installing and configuring secure Web services is straightforward using Quadrasis Soap Content Inspector. Its policy management is somewhat less complex to configure compared to other security management products, and can essentially run straight out of the box allowing you to get acquainted with security policies first instead of configuring external systems such as database and directory services.

Company Info
Quadrasis, the security division of Hitachi Computer Products (America), Inc.
Software Solutions Division
1601 Trapelo Road
Reservoir Place, 3rd Floor
Waltham, MA 02451
Phone: (781) 890-0444
Facsimile: (781) 890-4998
Web: www.quadrasis.com
E-mail: [email protected]

Evaluation Download
www.quadrasis.com/prod_download/register.asp

Licensing Information
Licensing is on a CPU basis with up to 50 simultaneous connections.
http://www.quadrasis.com/prod_download/register.asp

Testing Environment
OS: Windows-2000 Professional
Hardware: IBM ThinkPad T30

More Stories By Joe Mitchko

Joe Mitchko is the editor-in-chief of WLDJ and a senior technical specialist for a leading consulting services company.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Microservices Articles
The now mainstream platform changes stemming from the first Internet boom brought many changes but didn’t really change the basic relationship between servers and the applications running on them. In fact, that was sort of the point. In his session at 18th Cloud Expo, Gordon Haff, senior cloud strategy marketing and evangelism manager at Red Hat, will discuss how today’s workloads require a new model and a new platform for development and execution. The platform must handle a wide range of rec...
When building large, cloud-based applications that operate at a high scale, it’s important to maintain a high availability and resilience to failures. In order to do that, you must be tolerant of failures, even in light of failures in other areas of your application. “Fly two mistakes high” is an old adage in the radio control airplane hobby. It means, fly high enough so that if you make a mistake, you can continue flying with room to still make mistakes. In his session at 18th Cloud Expo, Lee A...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine where she evaluated and tested application-focused technologies including app secu...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple cloud provider environments. Yet, despite this portability promise, developers may include configuration and application definitions that constrain or even eliminate application portability. In this session we'll describe best practices for "configuration as code" in a Kubernetes environment. We will demonstrate how a properly constructed containerized app can be deployed to both Amazon and Azure ...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addresse...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 18th International Cloud Expo, which will take place on June 7–9, 2016, at the Javits Center in New York City, NY. DatacenterDynamics is a brand of DCD Group, a global B2B media and publishing company that develops products to help senior professionals in the world's most ICT dependent organizations make risk-based infrastructure and capacity decisions.
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true ...
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...