Embed Size (px)
Citation preview
SECURE YOUR INTEGRATIONS
Maarten Smeets
07-06-2018
@MaartenSmeetsNL
https://nl.linkedin.com/in/smeetsm
About Maarten
• Integration consultant at AMIS since 2014
• Several certifications
SOA, BPM, MCS, Java, SQL, PL/SQL, Mule, AWS, etc
• Enthusiastic blogger
http://javaoraclesoa.blogspot.com
3 Membership Tiers• Oracle ACE Director• Oracle ACE• Oracle ACE Associate
bit.ly/OracleACEProgram
500+ Technical Experts Helping Peers Globally
Connect:
Nominate yourself or someone you know: acenomination.oracle.com
@oracleace
Facebook.com/oracleaces
SECURE YOUR INTEGRATIONS
WHAT DO YOU HOPE TO ACHIEVE?
SECURITY IN DIFFERENT LAYERS
TLS
TLS AND JAVA CERTIFICATESKEYSTORESCIPHER SUITES
TLS IN THE ORACLE CLOUD APPLICATION SECURITY
INTRODUCTION GDPRGENERAL DATA PROTECTION REGULATION (GDPR)
• "...implement measures to mitigate those risks, such as encryption." (P51. (83))
• "...appropriate safeguards, which may include encryption" (P121 (4.e))
• "...including inter alia as appropriate: (a) the pseudonymization and encryption of personal data." (P160 (1a))
• "...unintelligible to any person who is not authorized to access it, such as encryption" (P163 (3a))
WHAT DO YOU HOPE TO ACHIEVE?
• Confidentiality
• Integrity
• Authentication
• Identification
• Authorization
• Access to specific resources
• Entitlements
WHAT DO YOU HOPE TO ACHIEVE?CONFIDENTIALITY AND INTEGRITY: REPUDIATION OF EMISSION
Do you trust the contents of the message
Integrity and Confidentiality
WHAT DO YOU HOPE TO ACHIEVE?AUTHENTICATION AND IDENTIFICATION: REPUDIATION OF ORIGIN
Do you trust the source of the message
Authentication and Identification
SECURITY IN DIFFERENT LAYERS
Application layer
(HTTP, LDAP)
TLS/SSL layer
Transport layer
(TCP, UDP)
Network layer
(IP)
Security only in the application layer
might cause plaintext passwords or
reusable tokens to be transmitted
and potentially intercepted
SECURITY IN DIFFERENT LAYERSTLS VS APPLICATION LAYER SECURITY
• Performance
• TLS is much faster than security on message contents
• Granularity
• TLS is usually on host level
• Application security can be much more specific
• Genericity
• TLS can be used on HTTP, SMTP, T3
• Application layer security is specific for a platform / application
SECURITY IN DIFFERENT LAYERSWHICH PRODUCTS?
• Loadbalancers• For example F5 product
• Oracle Traffic Director (also used in Oracle Cloud)
• On a webserver / application server• Oracle HTTP Server
• WebLogic Server
• Using an API gateway product• API Platform Cloud Service
• API Gateway
1 2
TRANSPORT LAYER SECURITY
Concepts TLS and Java
SECURITY IN DIFFERENT LAYERSWHAT CAN YOU ACHIEVE WITH TLS?
• Secure message exchange• Confidentiality
by using symmetric cryptography• Integrity
by using message authentication codes (MAC)
• Identification
• Authentication
• Authorization
By using public key cryptography
BACKGROUND AND CONCEPTSTLS: VERSIONS
TLS version Released Most important vulnerabilities
SSL 1 No Never released due to too many issues
SSL 2 1995 DROWN
SSL 3 1996 POODLE
TLS 1.0 1999 BEAST
TLS 1.1 2006 CBC, Sweet32
TLS 1.2 2008 Logjam, FREAK, Heartbleed (OpenSSL)
TLS 1.3 TBD
Netscape
IETF
BACKGROUND AND CONCEPTS TLS: JAVA
• TLS 1.2 is supported from
• Oracle JDK 6u121
• JRockit R28.3.11
• JCE for the best cipher suites
• Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files
• JCE on JRockit and Oracle JDK
• See Oracle support Doc ID 2262067.1
• JCE is no longer required after
• Version 6u191, 7u181, 8u171, 9
BACKGROUND AND CONCEPTS
Handshake
Keystores
Certificates
Cipher suites
BACKGROUND AND CONCEPTS TLS LAYER
• Client and server perform a handshake
• During the handshake certificates are exchanged
• Certificates are stored in keystores and can be checked
• Client and server agree on further details of the connection (cipher suite)
BACKGROUND AND CONCEPTSWHAT’S IN A CERTIFICATE
• A public key
• Information on the issuer
• A serial number, unique per issuer
• A period during which the certificate is valid
• A hostname or hostname wildcard
• References to certificate revocation lists
BACKGROUND AND CONCEPTSCERTIFICATES AND TRUST
BACKGROUND AND CONCEPTSKEYSTORES
BACKGROUND AND CONCEPTSKEYSTORES: FILE BASED FORMATS
• Java Keystore / JKSFile extension: .jks
• Public-Key Cryptography Standards / PKCS #12File extension: .p12 or .pfx
• Java Cryptography Extension KeyStore / JCEKSFor storing secret keys / credentialsFile extension: .jceks
Keystore Explorer
Portecle
keytool
BACKGROUND AND CONCEPTSKEYSTORES: ORACLE PLATFORM SECURITY SERVICES (OPSS)
• KeyStoreService / KSS
• Credential Store Framework or CSF
BACKGROUND AND CONCEPTSCIPHER SUITES
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Key exchange Signature
Bulk encryption
algorithm
Message authentication
algorithm
Repudiation of originIntegrity
Repudiation of emission
ConfidentialityAuthentication Identification
BACKGROUND AND CONCEPTSCIPHER SUITES: AGREEMENT CLIENT/SERVER DURING HANDSHAKE
I would prefer
Norwegian but since
you wouldn’t
understand me, lets
talk English!
Client Server
Hi!
I can speak Dutch
and English. Hi!
I can speak
Norwegian and
English
BACKGROUND AND CONCEPTSCIPHER SUITES: AGREEMENT CLIENT/SERVER DURING HANDSHAKE
• The server has a list of supported cipher suites in order of preference
• The server chooses the cipher suite which will be used based on what the client indicates it supports
• If the server supports a poor cipher suite (even with a low priority)the client can indicate it only supports that one and it will be used!
• Some cipher suites do not do encryption, key exchange or message integrity checking
BACKGROUND AND CONCEPTSUSING A TLS CONNECTION IS NOT SECURE BY DEFAULT!
Good idea!
Lets do that!
Lets do security!
Client Server
Lets not check each others
identity, do encryption or
integrity checks, ok?
Sure!
Yay! We’re secure!
1 2
BACKGROUND AND CONCEPTS
One way TLS Two way TLS
BACKGROUND AND CONCEPTSONE WAY
• The client does not send a certificate the server can check
• The server sends a certificate the client can check
BACKGROUND AND CONCEPTSTWO WAY
• The client sends a certificate the server can check
• The server sends a certificate the client can check
BACKGROUND AND CONCEPTSCONSIDERATIONS ONE OR TWO WAY SSL
• Do you require validation of the client?Are client and server located in the same data center?Is the server publicly exposed?
• Can you control the client? Force the client to use a client certificate?Manage client certificates next to server certificates
• Performance. • Per TLS connection extra validations need to be performed.
• More network traffic is required since the client also sends a certificate
1 2
TLS IN SOA SUITEOUTBOUND 2-WAY
Composites Service Bus
TLS IN SOA SUITE
• Composites: one client certificate for 2-way TLSper domain
• Service Bus: multiple client certificates for 2-way TLSconfigurable per service
TLS IN SOA SUITECOMPOSITES
• Configure the composite identity keystoreThis is domain level configuration! Not customizable per service
• Configure keystore password and key passwordAdd CSF entries in the folder SOA
• Configure composite reference for 2-way SSL<property name=”oracle.soa.two.way.ssl.enabled”>true</property>
TLS IN SOA SUITESERVICE BUS
• PKICredentialMapperCreate a PKICredentialMapper in WebLogic ConsoleConfigure the keystore and keystore password to use
• ServiceKeyProviderCreate a ServiceKeyProvider in a project (or a shared location)This uses the PKICredentialMapper. Contains a reference to the key and key password
http://www.redrock-it.nl/add-client-certificate-outgoing-osb-call/
1 2
TLS IN THE ORACLE CLOUD
IaaS and Compute based PaaS Non Compute based PaaS and SaaS
TLS IN THE ORACLE CLOUDIAAS AND COMPUTE BASED PAAS
• Services in which the customer can access the VMLike Java Cloud Service, Database Cloud Service
• “bring your own host name” policy
• The customer is responsible for requesting a certificate and implementing it
http://www.ateam-oracle.com/https-and-trust-in-oracle-public-cloud/
TLS IN THE ORACLE CLOUDNON COMPUTE BASED PAAS AND SAAS
• Services like• ICS• SOACS• Mobile Cloud Service• Document Cloud Service• Sales Cloud• ERP Cloud
• Oracle offers a (wildcard) certificate per cloud service per region
• Cipher suites are preconfigurednot configurable
TLS IN THE ORACLE CLOUDCIPHER SUITES
• TLS 1.2 GCM cipher suites are not
supported. These offer integrity checking.
• Several SHA cipher suites (next to SHA256).
These are vulnerable against collision attacks
• RSA key exchange does not provide forward
secrecy
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
Is a weak cipher suite
• TLS 1.0 is supported
Possibly vulnerable for POODLE and BEAST
• TLS 1.2 GCM cipher suites are not
supported. These offer integrity checking.
• Several SHA cipher suites (next to SHA256).
These are vulnerable against collision attacks
• RSA key exchange does not provide forward
secrecy
https://www.ssllabs.com/ssltest
1 2
APPLICATION SECURITY
SOAP, REST WS Security in OWSM
WHAT DO YOU HOPE TO ACHIEVE?
• Confidentiality
• Integrity
• Authentication
• Identification
• Authorization
• Access to specific resources
• Entitlements
APPLICATION SECURITY
• HTTP• OAuth
• Basic authentication
• REST/JSON• JSON Web Tokens (JWT)
• JSON Object Signing and Encryption (JOSE)
• SOAP/XML• SAML
• WS-Security
Cute, but (mostly)…
- Plaintext passwords are transmitted
- Plaintext usernames are transmitted
- Re-usable tokens are exchanged
Fixes that!
APPLICATION SECURITYSECURE TOKEN SERVICE
Tokens can be transmitted
• as part of the HTTP body
• in an HTTP header
APPLICATION SECURITYSECURE TOKEN EXAMPLES
1 2
AUTHENTICATIE / IDENTIFICATIONWS SECURITY TOKENS
UsernamePassword token Digest token
APPLICATION SECURITYWEBLOGIC SERVER: ORACLE WEBSERVICE MANAGER
• Centrally define and store declarative policies applied to the multiple Web services.
• Locally enforce policies through configurable agents.
• Monitor run time security events such as failed authentication or authorization.
https://docs.oracle.com/middleware/1221/owsm/security/owsm-predefined-policies.htm
AUTHENTICATION WS-SECURITY BASED ON USERNAME/PASSWORD
• WS-Security Username Authenticationoracle/wss_username_token_client_policyoracle/wss_username_token_server_policy
AUTHENTICATION WS-SECURITY USING A DIGEST TOKEN
• WS-Security offers digest based authentication
• A digest consists of a cryptographic hash of
• A password
• A nonce: a number which can be used only once
• A timestamp
AUTHENTICATION WS-SECURITY USING DIGEST TOKEN IN WLS/OWSM
• WebLogic Server + OWSM
• Only with WLS internal LDAP Passwords should be decryptable to generate digests
• Can only authenticate users created after the digest configuration has been applied
• NonceA nonce can be cached in CoherenceMind the Coherence cluster configuration!
https://thecattlecrew.net/2017/03/22/ws-security-with-username-token-profile-on-oracle-weblogic-server/
AUTHORIZATION
• oracle/binding_authorization_template
• Role based access to a binding
• oracle/component_authorization_template
• Role based access to a component
• oracle/component_permission_authorization_template
• Authenticated subject can access component / webservice operation
INTEGRITY AND CONFIDENTIALITY
• Confidentiality: XML Encryption
• Message encryption
• Integrity: XML Signature
• Messages have not been altered since signing
• Signature can be checked to confirm the clients identity party
INTEGRITY AND CONFIDENTIALITYORACLE WEBSERVICE MANAGER: POLICIES
• oracle/wss10_message_protection_client_policyoracle/wss11_message_protection_client_policyoracle/wss10_message_protection_server_policyoracle/wss11_message_protection_server_policy
KSS keystore: Key alias
JKS keystore: CSF entry in oracle.wsm.security
CONFIDENTIALITYPERSONALLY IDENTIFIABLE INFORMATION
• oracle/pii_security_policyEncryption of Personally Identifiable Information (PII)
• Only within a composite
• Want to use the value? Decrypt! (using Java embedding)
CONFIDENTIALITYPERSONALLY IDENTIFIABLE INFORMATION
• oracle/pii_security_policyEncryption of Personally Identifiable Information (PII)
• Only within a composite
• Want to use the value? Decrypt! (using Java embedding)
1 2
Considerations Food for thought
PERFORMANCE
• WS SecureConversationThe number of authentications is reduced
• System entropy (especially on VMs)http://oraclemiddlewareblog.com/2012/10/17/how-to-improve-weblogic-servers-startup-timehttp://bugs.java.com/view_bug.do?bug_id=6521844
• Preemptive basic authenticationhttp://georgie-soablog.blogspot.nl/2013/09/bpel-calling-web-services-with-http.html
https://en.wikipedia.org/wiki/WS-Security
CONSIDERATIONS
Performance
Complexity
Coverage
DTAP
Capabilities of software
Futureproof
Sensitivity of data
License fee
Testability
Flexibility
Manageability
FOOD FOR THOUGHTGDPR
• Do you know what Personally Identifiable Information (PII) exactly is?
• Do you know which measures are required for the PII data you have?
• Do you know where your PII data is located, cached, stored (backups?), aggregated, analyzed, …?
• Do you know who can access / has accessed this data? And for what reason?
• Do you know which agreements (for storing, processing, transmitting) are required and who is responsible for them?
• Do you have data lifecycle management in place? Can you remove PII data upon request?
• Can you provide a client with all their PII data you have on them?
