OASIS WS-Security - PeopleSoft Integration Broker

 

(SSL/TLS, X509 Digital Certificates, XML Signature, XML Encryption, Java Key Store (JKS), Oracle Wallet, WSS4J, SAML)  

  

  

  

 

Prerequisites:

 

       

Internet Security Basics

 

        Symmetric Encryption, Public Key Infrastructure (PKI) Encryption, PKI Digital Signature, Certificates and Certificate Authorities.

 

        Following, are some of the important basic concepts relating to Internet Security which are further explained in this PPT with a number of illustrations.

      

        Symmetric Encryption

                           Same key is used to encrypt and decrypt on both sides of the connection.

                           Key should not travel over the network un-protected.

                           The longer the key stronger the encryption.

        

        Asymmetric Encryption

                           Uses a pair of private and public key.

                           Private Key is kept secret and public is distributed to others.

                           Encryption always uses the recipient’s public key.

                           And private key is exclusively used for signing.

                           Much slower than symmetric key encryption.

 

      

        Normally symmetric encryption is used to encrypt the payload and then symmetric key itself encrypted using asymmetric encryption.

        Wherein recipient’s public key is used to encrypt the symmetric key. Hence, only recipient can decrypt the symmetric key using his/her private key. 

  

           A Certification Authority (CA) issues digital certificates that contain a public key and the identity of the owner.

  

         X.509 specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.

       

       A keystore is a database (usually a file) that can contain trusted certificates and combinations of private keys with their corresponding certficiates.

There are two different types of entries in a keystore:

  

           Key entries – A key stored in this type of entry is a secret key, or a private key accompanied by the certificate "chain" for the corresponding public key.

           Trusted certificate entries – Each contains a single public key certificate belonging to another party. It is called a "trusted certificate" because the keystore owner trusts that the public key in the certificate indeed belongs to the identity identified by the "subject" (owner) of the certificate. The issuer of the certificate vouches for this, by signing the certificate. (To get the certificate, you must create a Certificate Request and submit it to the CA. The CA will authenticate the certificate requestor and create a digital certificate based on the request. )

Types of Keystores

JKS:The Java Keystore (JKS) is the proprietary keystore format defined by Sun Microsystems. To create and manage the keys and certificates in the JKS, use the keytool utility.

  

Oracle Wallet: The Oracle Wallet acts as a keystore for storing and managing public and private keys, and X.509 certificates. To create a wallet, Oracle provides the orapki utility in the ORACLE_HOME/bin directory.

 

  

 

SSL/TLS Protocol Basics 

Following, are some of the basic concepts relating to SSL/TLS Protocol which are further explained in this PPT with a number of illustrations.

            Trust relationship is established between communicating parties using digital certificates.

            Client generates a seed data, encrypts it using server’s public key,

            Using the seed data and RSA algorithm they both generate a same symmetric encryption key.

            Payload data is sent using symmetric key encryption and symmetric key digital signature. 

 

  

 

XML Security: XML Signature & XML Encryption

Following, are some of the basic concepts relating to XML Security, which are further explained in this PPT with a number of illustrations.

XML Signature

            Uses XML syntax to represent a signature over any digital content and XML content in particular.

            Meets requirement of signing portions of documents via Transforms: processing the document before signing.

            Can be used to specify a signature over a list of resources (one or more parts of a document or different documents).

XML Encryption

            A process for encrypting data and representing the result in XML.

            The data may be arbitrary data (including an XML document), an XML element, or XML element content.

            The result of encrypting data is an XML Encryption <EncryptedData> element which contains or identifies (via a URI reference) the cipher data.

            When encrypting an XML element or element content the <EncryptedData> element replaces the element or content (respectively) in the encrypted version of the XML document.

            When encrypting arbitrary data (including entire XML documents), the <EncryptedData> element may become the root of a new XML document or become a child element in an application-chosen XML document.

 

 

OASIS WS Security

Following, are some of the basic concepts relating to WS-Security, which are further explained in this PPT with a number of illustrations.

  

WS-Security

  

           Why do we need Web Services Security? Specially, when SSL can be used between web servers to secure the XML message payload over http.

        

        The identity, integrity, and security of the message and the caller need to be preserved over multiple hops. 

        Many of the bigger problems involve sending the message along a path more complicated than request/response or over a transport that does not involve HTTP.

  

            WS-Security is a SOAP enhancement, providing a means for applying security to Web services.

  

             

  

          Originally developed by IBM, Microsoft, and VeriSign, the protocol is now officially called WSS and developed via committee in Oasis-Open.

  

          This specification provides three main mechanisms: 

 

              Ability to send security tokens as part of a message, 

              Message integrity.

              Message confidentiality. 

          It provides end-to-end message content security and not just transport-level security.

          The wsse:BinarySecurityToken can wrap different types of authentication data in binary format (e.g. X509 certificates and Kerberos tickets, etc.).

 

 

 

WS-Security Specification Releases

          Current is version 1.1

          Prior Release was 1.0 (Part of this has been implemented in PeopleTools 8.49)

 

 

WS-Security version 1.0 comprises

 

          SOAP Message Security V1.0

          Username Token Profile V1.0

          X.509 Token Profile V1.0

          SAML Token Profile V1.0

          Security REL Token Profile V1.0

 

 

PeopleTools 8.49 WS-Security Implementation

  

          PeopleSoft implements the Oasis Standard 1.0 WS-Security schema, which conforms to the Web Service Security standard version 1.

          Within this framework, PeopleSoft implements:

          Username Token Profile 1.0

          X.509 Token Profile 1.0

          PeopleSoft's XML signature and XML encryption feature support surrounds the UsernameToken profile. As a result, XML signature and XML encryption are fully functional for the UsernameToken section of the SOAP header, but not necessarily for the entire XML SOAP message.

  

 

WSS4J

          Apache WSS4J is an implementation of the OASIS Web Services Security (WS-Security) from OASIS Web Services Security TC . WSS4J is primarily a Java library that can be used to sign and verify SOAP Messages with WS-Security information. WSS4J will use Apache Axis and Apache XML-Security projects and will be interoperable with JAX-RPC based server/clients and .NET server/clients.

 

          WSS4J implements

          Web Services Security: 

          SOAP Message Security 1.1 

          Username Token Profile 1.1 

          X.509 Certificate Token Profile 1.1

 

 

 

 

 

 

 

 Acknowledgements:

 

       Wellen Lau:- Principal Software Engineer - PSFT Development - PeopleTools

 

 

 

Resources:

 

      Sample (App Designer Project): PSFT integration with one of the supplied WSS4J sample examples (Stock Quote) download 

 

      WSS4J: http://ws.apache.org/wss4j/

 

      PeopleTools TEST Root CA --Microsoft Certificate Services   http://ptntas12/certsrv/ 

  

      Wellen’s PT8.5 WS-Security Wiki  http://aseng-wiki.us.oracle.com/asengwiki/display/ASDevPeopleTools/Wellen+Lau

 

      W3C - XML Encryption Syntax and Processing http://www.w3.org/TR/xmlenc-core/

 

 Securing a Web Sevice using JDeveloper: Flash Sample: http://www.oracle.com/technology/products/jdev/101/viewlets/101/xesecureunitedloanserver_viewlet_swf.html

 

  Securing Web Services using JDeveloper and WS-Security: http://www.oracle.com/technology/products/jdev/101/howtos/securews/index.html

                       

                          Keytool - Key and Certificate Management Tool http://java.sun.com/j2se/1.3/docs/tooldocs/win32/keytool.html

 

                          TCPMonitor:  http://files.oraclecorp.com/content/AllPublic/Users/Users-B/bipin.jethwani-Public/tcpmon.jar