Re: WS-Security, SSL or both
pzfreo wrote: There is another alternative, which is to use WS-Trust and WS-SecureConversation. This makes life more efficient if you have more than one message exchange (which I'm guessing you will if this is a B2B sort of situation). are you referring to async web services? due to time restrictions I will be implementing a simple polling setup..so each message requires a separate method call.. does this mean the token exchange has to take place for each call? I'm considering using one-way SSL for encryption and SecureConv for digital signatures..my logic behind this, is that having SSL on a reverse proxy would take part of the encryption load off the Axis server.. With this setup, 2 signatures will be transferred between the server and client - will this have a big impact on the message size? I have setup WSAS and am quite happy with it.. having 2 minor problems: - Eclipse freezes when I start WSAS using the plugin - code generated using the axis2 codegen is giving me errors when using the WSAS folder as the axis home..eg abstract method defined in the WSAS axis2 library, isn't generated by the codegen. I worked around this by selecting use axis2 codegen classes.. do you think this will give me problems later on? -- View this message in context: http://www.nabble.com/WS-Security%2C-SSL-or-both-tp15549089p15653326.html Sent from the Axis - User mailing list archive at Nabble.com.
Re: WS-Security, SSL or both
Mikle More answers: On Feb 19, 2008 7:54 PM, mikle [EMAIL PROTECTED] wrote: The clients are large organisations that will be submitting and pulling financial transaction. so a username and password is not enough The Authentication mechanism in WS-Security allows the use of client certificates as well as u/p. So you can use a cert to authenticate and SSL to encrypt if you only need auth+encryption. That would be the simplest approach if those are your requirements. pzfreo wrote: 1) Is it possible to access two-way SSL authentication information from a web service? (assuming SSL is setup on the axis server - no reverse proxy) You can always access the Tomcat/Servlet/HTTP context, so if the SSL client cert information is available from the servlet context (which it is) you can get at it in your Axis2 service. Does this work when using axis without tomcat? Yes this should work in any servlet container. pzfreo wrote: There is another alternative, which is to use WS-Trust and WS-SecureConversation. This makes life more efficient if you have more than one message exchange (which I'm guessing you will if this is a B2B sort of situation). Basically, the client uses UserName token or the X509 cert to set up the session. Then the server issues a token. The token acts as an ephemeral key which can be used for traditional symmetric encryption and signature. So now the conversation can proceed much more efficiently. WS-SecureConversation sounds interesting.. does it work with anonymous clients (behind a firewall)? Do you have any links to good implementation guides for SecureConv? I ran a quick search and all the results seem to point to the spec There are samples in Axis2/Rampart/Rahas. In addition WSO2 has a packaged version of Axis2 (http://wso2.org/projects/wsas) that provides some help configuring WS-SC and Trust, including some pre-built policies. pzfreo wrote: Basically this is the model I described with WS-Trust and SecureConv. Effectively this models the session startup that SSL does in XML. The upside is the efficiency. The downside is that you need more stuff. So for example, you can interoperate with .NET, but some older stacks don't do WS-SecConv and Trust. interop is important for this impl..but it seems that it is supported by the Sun and ibm stacks.. please correct me if I am wrong. Sure, there are a number of stacks that support SecureConversation. I simply meant that WS-Security is *very* widely implemented whereas SC is newer. Paul -- Paul Fremantle Co-Founder and VP of Technical Sales, WSO2 OASIS WS-RX TC Co-chair blog: http://pzf.fremantle.org [EMAIL PROTECTED] Oxygenating the Web Service Platform, www.wso2.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: WS-Security, SSL or both
What type of message traffic are you expecting? SOAP? We are working on a WS-Security acceleration product that currently uses SW and supports our HW acceleration plans. Yes, signature acceleration et al. Just for kicks (not like we all have a lot of time), you might want to look at www.intel.com/software/xml . There is an AXIS2 compatible Beta in Linux for download. We will have Windows support and a Java API available in Beta at the end of March 08. David E.A. Johnson Director, Digital Security Products Intel Corporation SSG-MMD 1815 S. Meyers Rd., Suite 150 Oakbrook Terrace, Illinois 60441 770-433-3272 direct 404-769-7207 mobile -Original Message- From: Paul Fremantle [mailto:[EMAIL PROTECTED] Sent: Monday, February 18, 2008 5:31 PM To: axis-user@ws.apache.org; Ruchith Fernando Subject: Re: WS-Security, SSL or both I'm copying Ruchith... he's the real guru. But here are some answers: The web method implementations must be aware of the client identity... so authentication information must be available to the web method.. Would username/token do? Or do you need the authentication to be based on certificates? 1) Is it possible to access two-way SSL authentication information from a web service? (assuming SSL is setup on the axis server - no reverse proxy) You can always access the Tomcat/Servlet/HTTP context, so if the SSL client cert information is available from the servlet context (which it is) you can get at it in your Axis2 service. 2) if not.. would it make sense to have one-way SSL for encryption and XML-Signature for authentication? how would that perform? Would XML-Signature increase the message size drastically? Any alternatives? Unfortunately its not just encryption that is slow. Basically the signature has to do the following: A) create a hash of the message B) Encrypt the hash with the private key (which is how signatures work) The hash uses an xml algorithm called DOMHash, which is not very fast. The public/private key signature isn't very efficient either. So, the result is you'll still have a performance hit. The alternative is to use Username/Token for authentication, or if that is no good, you can use X509Token for authentication. So effectively you can use SSL for encryption and use a client cert to authenticate, but no message signature. There is another alternative, which is to use WS-Trust and WS-SecureConversation. This makes life more efficient if you have more than one message exchange (which I'm guessing you will if this is a B2B sort of situation). Basically, the client uses UserName token or the X509 cert to set up the session. Then the server issues a token. The token acts as an ephemeral key which can be used for traditional symmetric encryption and signature. So now the conversation can proceed much more efficiently. 3) I also read that PK encryption is too intensive for message encryption.. and is normally used to to exchange a session key - does the performance problem apply to digital signatures? is the session key exchange part of the Ws-Security spec or do I have to develop a web method that generates the session key? Basically this is the model I described with WS-Trust and SecureConv. Effectively this models the session startup that SSL does in XML. The upside is the efficiency. The downside is that you need more stuff. So for example, you can interoperate with .NET, but some older stacks don't do WS-SecConv and Trust. Paul -- Paul Fremantle Co-Founder and VP of Technical Sales, WSO2 OASIS WS-RX TC Co-chair blog: http://pzf.fremantle.org [EMAIL PROTECTED] Oxygenating the Web Service Platform, www.wso2.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: WS-Security, SSL or both
The clients are large organisations that will be submitting and pulling financial transaction. so a username and password is not enough pzfreo wrote: 1) Is it possible to access two-way SSL authentication information from a web service? (assuming SSL is setup on the axis server - no reverse proxy) You can always access the Tomcat/Servlet/HTTP context, so if the SSL client cert information is available from the servlet context (which it is) you can get at it in your Axis2 service. Does this work when using axis without tomcat? pzfreo wrote: There is another alternative, which is to use WS-Trust and WS-SecureConversation. This makes life more efficient if you have more than one message exchange (which I'm guessing you will if this is a B2B sort of situation). Basically, the client uses UserName token or the X509 cert to set up the session. Then the server issues a token. The token acts as an ephemeral key which can be used for traditional symmetric encryption and signature. So now the conversation can proceed much more efficiently. WS-SecureConversation sounds interesting.. does it work with anonymous clients (behind a firewall)? Do you have any links to good implementation guides for SecureConv? I ran a quick search and all the results seem to point to the spec pzfreo wrote: Basically this is the model I described with WS-Trust and SecureConv. Effectively this models the session startup that SSL does in XML. The upside is the efficiency. The downside is that you need more stuff. So for example, you can interoperate with .NET, but some older stacks don't do WS-SecConv and Trust. interop is important for this impl..but it seems that it is supported by the Sun and ibm stacks.. please correct me if I am wrong. -- View this message in context: http://www.nabble.com/WS-Security%2C-SSL-or-both-tp15549089p15562519.html Sent from the Axis - User mailing list archive at Nabble.com.
Re: WS-Security, SSL or both
I'm copying Ruchith... he's the real guru. But here are some answers: The web method implementations must be aware of the client identity... so authentication information must be available to the web method.. Would username/token do? Or do you need the authentication to be based on certificates? 1) Is it possible to access two-way SSL authentication information from a web service? (assuming SSL is setup on the axis server - no reverse proxy) You can always access the Tomcat/Servlet/HTTP context, so if the SSL client cert information is available from the servlet context (which it is) you can get at it in your Axis2 service. 2) if not.. would it make sense to have one-way SSL for encryption and XML-Signature for authentication? how would that perform? Would XML-Signature increase the message size drastically? Any alternatives? Unfortunately its not just encryption that is slow. Basically the signature has to do the following: A) create a hash of the message B) Encrypt the hash with the private key (which is how signatures work) The hash uses an xml algorithm called DOMHash, which is not very fast. The public/private key signature isn't very efficient either. So, the result is you'll still have a performance hit. The alternative is to use Username/Token for authentication, or if that is no good, you can use X509Token for authentication. So effectively you can use SSL for encryption and use a client cert to authenticate, but no message signature. There is another alternative, which is to use WS-Trust and WS-SecureConversation. This makes life more efficient if you have more than one message exchange (which I'm guessing you will if this is a B2B sort of situation). Basically, the client uses UserName token or the X509 cert to set up the session. Then the server issues a token. The token acts as an ephemeral key which can be used for traditional symmetric encryption and signature. So now the conversation can proceed much more efficiently. 3) I also read that PK encryption is too intensive for message encryption.. and is normally used to to exchange a session key - does the performance problem apply to digital signatures? is the session key exchange part of the Ws-Security spec or do I have to develop a web method that generates the session key? Basically this is the model I described with WS-Trust and SecureConv. Effectively this models the session startup that SSL does in XML. The upside is the efficiency. The downside is that you need more stuff. So for example, you can interoperate with .NET, but some older stacks don't do WS-SecConv and Trust. Paul -- Paul Fremantle Co-Founder and VP of Technical Sales, WSO2 OASIS WS-RX TC Co-chair blog: http://pzf.fremantle.org [EMAIL PROTECTED] Oxygenating the Web Service Platform, www.wso2.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]