Secure your iSeries Web application Jim Mason ebt-now [email protected] 508-888-0344.
-
date post
19-Dec-2015 -
Category
Documents
-
view
217 -
download
1
Transcript of Secure your iSeries Web application Jim Mason ebt-now [email protected] 508-888-0344.
Secure your iSeries Web application
Jim Mason
ebt-nowwww.ebt-now.com
508-888-0344
.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
ebt-now QuickWebServices
WebSphere, WebSphere Studio, WebFacing, HATS QuickWebDefinition - FREE plan
o >> web definition, project summary, configuration, WebFacing code analysis
QuickWebApp - buildo >> fixed price, custom, complete Web app integrating iSeries apps, data, xmlo >> breaks e-business barriers: cost, risk, technical challenges, payback
QuickWebSupport - deployo >> implement your apps on your WebSphere or Tomcat servers
QuickWebEducation – Web-based training - o >> the best iSeries WebSphere Development Studio courses
QuickWebWorkshop - combine QuickWebApp & Skills transfer
QuickWebWorkshop – complete packageo >> CUSTOM QuickWebApp, implementation, course with ‘hands on’ labs
QuickWebSuccess on-demand seminars: o QuickWebSuccess - Rapidly web-enable iSeries applications and data
visit www.ebt-now.com or email [email protected] for more
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges E-business security concepts Security services in Java Web environments WebSphere Express security Sample security scenarios Seven steps to securing your e-business solution Resources
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
E-business environment
Usage models: B2X = Business to Xo B2E (employee) B2C (consumer) B2B (business)o ISP (Internet Service Provider) connects your network to the Internet
Models: query, analysis, transactions, workflow, automationo XML allows applications to understand data and messages in B2B!o Web services, RMI allow B2B integration over Web without custom
networking!
E-business environment layers:o Applications, application services, servers, networko Common services reduce application work (data access, media, etc.)o Servers deliver services (WebSphere, WebFacing, HTTP, Domino,
BizTalk, etc.)
E-business platforms (applications often distributed):o Browsers, client workstations, wireless, servers
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Security threats
o Sniffing - others steal data, etc.o Impersonation - others steal user IDs, passwordso Decryption - others see your data over encrypted networko Denial of service - flooding a server with too many requestso Ping of death - ping indicates more data in packet than there iso Viruses - beware WINDOWS applications and e-mail!o Spamming - mass e-mails sent in from outsideo Theft - misusing financial applicationso Destruction - malicious destruction of softwareo Others?
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
E-business security questions
What is my e-business environment? What are my security threats? What are my security goals? What are my security compliance issues? What are the key security concepts? What are the e-business security layers? What are my options for Java Web security? What are my security implementation strategies? How do I get started building a plan?
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges E-business security concepts Security services in Java Web environments WebSphere Express security Sample security scenarios Seven steps to securing your e-business solution Resources
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Security concepts
o What are the key security concepts to address?o Authentication
Validate that a user is who he claims to be
o Authorization Ensure that a user has the proper authorization to resources
o Privacy Ensure that information is private based on authorization permissions
o Integrity Ensure that information is not changed unintentionally
o Availability Ensure the authorized resources are available
o Accountability Ensure that transactions DO result in expected state changes with an audit trail
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Security trust models Security trust models for Web environments allow both parties in a
transaction to verify: I am whom I claim to be You are whom you claim to be No one else can see or change the information shared between us Any objects shared between us can be verified as to the source You are allowed to perform selected operations only on specified
objects on my system This is critical in many scenarios: B2B supply-chain ordering, buying a
product over the Web, online banking, shipment tracking, employee benefits and more.
While intuitively it may seem Web environments are inherently less secure
than traditional iSeries 5250 environment because of the additional threats, a Web application environment can be made more secure than the average iSeries environment if a company wants to make the effort.
What’s worse than finding out that the security of your iSeries
applications or data have been compromised? Having them compromised and NOT finding out! Not only is it important to secure applications, data and resources in a Web environment to prevent a security breech, but it’s also important to be able to monitor and recover from any security breech.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Web app security layers
Cliento Client certificates, Signed files, certificate store, Java security
Networko Firewall port control, IP packet filters, NAT, DNS, DHCP, VPN, relay mail,
proxy servers, SSL reverse proxy server, Kerberos authentication TCP server
o HTTP aliases, virtual host mappings, URL redirects, URL rewrites, IP address filters, resource authorizations, load balancers, server certificates, Kerberos authentication, user authentication, user exit APIs
Web application servero User authentication, user-role mappings, role authorizations, Kerberos
authentication, Servlet filters. o With Java programming, security options include JGSS messages, JSSE,
certificates, key stores, JNDI, JAAS iSeries host server
o Server certificates, Kerberos authentication, user authentication, object management rights, object data rights, user-group mappings, object authorization lists, security monitoring tools, data journaling, user exit APIs
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Plan security by layers
Networko Network connections (IP)o Network applications (TCP)
Computero PC and iSeries base security features
Middlewareo HTTP servers, Tomcat, WebSphere, Domino, LDAP
Applicationo Java application security
Userso User access to systems, applications (local, remote, external)
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
iSeries security layers
iSeries offers security features at all layerso iSeries security built in to platform and middlewareo Windows security less robust - high exposure to viruses, etc.
Application support for library, IFS systemso Object-level permissions granted to users, set by policy
Middleware: HTTP, Tomcat, WebSphere, other TCP servers
Network supporto Full range of TCP, IP security controls: o VPN, NAT, Proxy servers, SSL and more
Users supporto Simple policies and wizards to control securityo Good monitoring tools for most exposures, threats
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Outside security resources
o ISPs offer many services and can help implement securityo Each scenario to secure is somewhat differento Selecting a GOOD ISP to meet your needs is critical!o ISPs can hide IP addresses, forward mail, etc.o ISPs can host applications: mail, Web sites, Etc.o Selecting a GOOD security consultant to help plan is keyo For iSeries, third parties offer security management software
Powertech, Pentasafe, SkyView Partners and others
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
iSeries security policies
For e-business, go to level 40 for system value: QSECURITYo Only authorized users can get to a command entry screen, etc.
Control IFS folders with public access Control sensitive data with private physicals, public logicals Use iSeries logs for monitoring authentication, authorization
failures and system changes Follow backup plans for data and applications Journal databases for recovery Set usual controls on user ID expiration, password rules Control library security with GRTOBJAUT, IFS security with
GRTAUT Limit user access to command entry, QShell
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges E-business security concepts Security services in Java Web environments WebSphere Express security Sample security scenarios Seven steps to securing your e-business solution Resources
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Network security features
Network security can be grouped in two general levels:o iSeries supports all of these network solutions
most are configurable via config files or thru Ops Nav
Network level technologieso - IP packet filteringo - Network Address Translation (NAT)o - IP Security (IPSec)
Application level technologieso - Proxy serverso - SOCKS serverso - Secure Sockets Layer (SSL) and Transport Layer Security
(TLS)o - Domain Name Serverso - Mail relays
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Encryption & digital keys
Public key encryptiono Data can be encrypted during transmission using keys and encryption
schemeso To send an encrypted message to you, the sender encrypts the
message by using your public key. When you receive it, you decrypt it by using your private key. When you wish to send a message to someone, you encrypt it by using the recipient's public key. The message can be decrypted only with the recipient's private key.
X509 Public Key Infrastructure (PKI)o Public-key encryption requires only two keys per participant. o The need for secrecy is easily met. The only thing that needs to be
kept private is the private key, and since it does not need to be shared, it is less vulnerable to theft in transmission than the shared key in a private-key system.
o Public keys can be published. This eliminates the need for prior sharing of a secret key before communication. Anyone who knows your public key can use it to send you a message that only you can read.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Signed files and Kerberos authentication
o Signed fileso Files can be “signed” with digital certificates to authenticate
who the author was. The recipient uses the public key of the sender to decrypt the signature to identify who the sender was.
o Kerberos authenticationo MIT created Kerberos as a network authentication protocol.
It provides strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many software tools, including open source and IBM iSeries software.
o Kerberos uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Digital certificates for authentication
A digital certificate is equivalent to an electronic ID card. It serves two purposes:
o To establish the identity of the owner of the certificateo To distribute the owner's public key
Certificates provide a way of authenticating users, referred to as authentication by trusted third parties
Contents of a digital certificateo A certificate contains information about the owner of the certificate and
the issuing CA:o The distinguished name (DN) of the owner. A DN is a unique identifier,
a fully qualified name including not only the common name (CN) of the owner but the owner's organization and other distinguishing information.
o The public key of the owner.o The date on which the certificate was issued.o The date on which the certificate expires.o The distinguished name of the issuing CA.o The digital signature of the issuing CA.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Authentication with certificates
Getting a certificate from a CAo The core idea of a certificate is that a CA takes the owner's public key,
signs the public key with the its own private key and returns this to the owner as a certificate.
www.godaddy.com and others
Using a certificate to authenticate with another partyo When the owner distributes the certificate to another party, it signs the
certificate with its private key. o The receiver can extract the certificate (containing the CA's signature)
with the owner's public key. o By using the CA's public key and the CA's signature on the extracted
certificate, the receiver can validate the CA's signature. o If it is valid, the public key used to extract the certificate is known to be
good. o The owner's signature is then validatedo If the validation succeeds, the owner has successfully authenticated to
the receiver.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
TCP addressing, DNS
TCP addresses o Old format 4b field ( 255.255.255.1) defined four classes of domains (A, B,
C, D) o Range of addresses reserved for private networks ( 10.x.x.x, 172.16.x.x.,
192.168.x.x)o New format 6b field (IP6)
DHCP - Dynamic Host Configuration Protocolo Any computer (host in TCP terms) can have a fixed addresso Using a dynamic address allows a few addresses to be shared by many
computerso Client configures address as DHCP; DHCP server assigns temporary
address DNS - Domain Naming Service
o Addresses mapped to meaningful names (e.g. Masonlt3 = 10.0.0.9 )o Applications can use name vs. addresso Names defined locally in hosts file OR in a DNS servero If using a DNS server, a client can specify a name and server finds address
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
LDAP Directory servers
o This is a standard API defining the interface to standard directory services. Directories are often used to store information on authentication (user IDs and certificates) and authorization (who can access what) in a central location on a network. Setting up and using a central directory for all users and applications eliminates the need to do redundant administration on multiple servers in your network (iSeries, Windows, Linux and so on).
o The versions of all common directory servers today support the LDAP version 3 standard interface. Products, tools and applications that access directory information using the LDAP interface only are, therefore, portable across any common directory implementation. The iSeries provides a built-in LDAP server at no charge. IBM also sells other directory servers (Secureway) that you can buy for an iSeries. Common directory servers in use in iSeries shops include the iSeries LDAP server, OpenLDAP, Domino directory and Microsoft Active Directory.
o If you don’t use an LDAP directory for this information you are probably storing the user and application security rules in a standard database like many green-screen applications did.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Domain Name Server
Domain Name Servers help build a secure network. Enable client to determine the IP address associated with host name (Masonlt3 = 10.1.1.9) Domain name trees typically reflect the organization structure of a company.
DNS Threats Because it is UDP-based, DNS replies are relatively easy to fake. DNS can be used by an attacker to find out the client’s names and IP addresses.
Split DNS limits exposure using two DNS serverso The internal DNS for secure and private host names and the external
one for public names. o The external DNS is the only one visible from the Internet. o Only some hosts need to be known by Internet systems:
the e-mail relay, the public WWW servers, the external name server itself, others in DMZ.
o You only need a public DNS server to advertise your public servers. o You can use the ISP as the primary public DNS and mail exchanger
for your company.o In summary, the objectives of the split DNS function:
Internet domain name and address resolution for users in the secure network. Hide the secure network names and addresses from outside users. Name and address resolution for your public Web servers in the DMZ
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Firewalls, DMZ
Firewall - iSeries can operate as a firewall o Most companies use a firewall to connect an internal network
safely to the Internet. o A firewall provides a controlled single point of contact (called a
chokepoint) between your secure internal network and the untrusted network.
o The firewall lets users in your internal network use authorized resources the outside network and prevents unauthorized outside users from using resources on your internal network.
DMZ - area between public network and private network
o Sits between the Internet and the private networko Controls access to the private networko For simple configurations, ISP may provide basic security
services to your firewall server creating a limited DMZ
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
IP Filters
IP packet filterso An IP packet filter discards denied traffic.o A packet filter has a set of rules with actions. o Every packet is compared against the filter rules, from top to bottom. o At the first match, the action in the matching filter rule (permit or deny) is
taken.o Most packet filters permit or deny packets based on the following:o · Source and destination IP addresseso · Protocol, such as TCP, UDP or ICMPo · Source and destination ports and ICMP types and codeso · Flags in the TCP header (whether a packet is a connect
request, etc.)o · Direction (inbound or outbound)o · Which physical interface the packet is traversing
o All packet filters share a problem -- the trust is based on IP addresses.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Network Address Translation
NAT - Network Address Translationo Translates internal or private IP addresses to public or globally
routable IP addresses.
o Some advantages of NAT: Saves public IP addresses. (the pool of global addresses can be shared) Hides the internal network's IP addresses. Simplifies routing. Hosts accessed from public network addresses translated by NAT. IF application uses the global IP address in the application, it won't work through NAT. Is more efficient than SOCKS and proxy servers.
o Some disadvantages of NAT: Provides minimum logging services. IP forwarding must be enabled. Not as adept as either the SOCKS or proxy servers in detecting attacks. Breaks some applications or (FTP) makes them harder to run.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
IPSec and VPN
IPSec and VPN (virtual private networking)o VPN is an extension of a company's private intranet across a public
network infrastructure such as the Internet. It is based on creating virtual secure tunnels between hosts connected to the public network. To participate in a secure tunnel or VPN connection, the VPN partners or tunnel
o End points must implement a compatible suite of VPN protocols.o (iSeries to iSeries, iSeries to Windows 2000, NT and later)
IPSec protocols:o Authentication Header (AH): data origin authentication, integrity and
replay protection.o Encapsulating Security Payload (ESP): data confidentiality, data origin
authentication, data integrity, and replay protection.o Internet Key Exchange (IKE): automatic key management.
Authentication, encryption, and integrity algorithms heavily depend on secret keys that the VPN partners share.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Proxy servers
Proxy server: Protecting direct access Proxy servers are deployed for two key purposes: security and performance. Proxy servers can monitor and filter inbound and outbound requests, or as a single point of
access for communications with untrusted networks. Proxy servers can improve HTTP response times by serving documents from a local cache.
Forward proxyo A forward proxy fetches from another server, allowing clients to reach
a network to which they wouldn't otherwise have access.
Reverse proxy and proxy chainingo Two other forms of proxy support are available with the HTTP Server
(powered by Apache).o One is reverse proxy, which is the same as a forward proxy, except
that requests from outside of the firewall to the proxy are allowed. o The other is proxy chaining, which requires two or more proxy servers
and can be used to balance server workloads or network traffic.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
SOCKS server
o A SOCKS server is another TCP/IP application that re-sends requests and responses between clients and servers. The SOCKS server handles all (HTTP, Telnet, FTP and so on) protocols.
o The purpose of the SOCKS server is the same as a proxy: to break the TCP/IP connection and hide internal network information.
o Client must be SOCKS-enabled, that is, it must support the SOCKS protocol. Some applications (such as popular Web browsers) support SOCKS.
o There are some products such as Hummingbird SOCKS that “socksify” the Microsoft TCP/IP stack
o There are also some systems (such as OS/400) that support a SOCKS client in their TCP/IP protocol stack (versatile clients) so that all client applications can use a SOCKS server. The client configuration gives the name of the SOCKS server to use and rules for when it should be used.
o Socks servers have no knowledge of the application protocol that they are using. They don't distinguish Telnet from HTTP. As a result, they can be written in a more efficient manner than a proxy. The down side is that they can't perform such tasks as caching or log URLs that are accessed.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
SSL – Secure Sockets Layer SSL (now TLS) protocol provides privacy over the Internet. SSL-enabled client and server applications prevent eavesdropping, tampering or message
forgery. These protocols provide, encryption, integrity and authentication. TLS includes some new features and clarifications of protocol flows for areas ill-defined by the
SSL protocol definition. The SSL/TLS protocol consists of two separate protocols: the record protocol and the
handshake. SSL handshake establishes an SSL session on TCP/IP for a client and a server application. During the handshake, the client and server agree on encryption algorithms and the encryption
keys The client will authenticate and verify the identity of the server. The server can optionally authenticate and verify the identity of the client. After the SSL handshake, information exchanged between the client and server is encrypted SSL negotiates unique encryption keys for each SSL session between a client and a server During the SSL handshake, the server sends a digital certificate to the client. Digital certificates provide information that enable the client and server to identify each other. Digital certificates are issued by trusted third parties called certificate authorities. An SSL client must trust the certificate authority that issued the server's certificate to
communicate
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Mail relay server iSeries SMTP can be local mail server (local Mail Transfer Agent (MTA)), a mail relay, or both. Mail sent from user mail queue thru mail transfer agents to user mailbox Relays mail between the internal mail server and Internet mail servers. iSeries (post office protocol (POP) 3 server) stores the mail for user retrieval.
o Spam - if relay allows, outside mail sender sends many mail pieces through relay
o Summary for the flow of mail from the sender to the receiver using SMTP:
User [email protected] sends an e-mail from her PC client Netscape mail to user [email protected].
The Mail User Agent (MUA) program in the mail application is invoked. The MUA passes the mail to the Mail Delivery Agent (MDA), MDA transfers it to the local Message Transfer Agent (MTA) for delivery. The local MTA client in mycompany.com sends the mail to the company's mail relayMTA. The mail relay in mycompany.com sends the mail to the mail relay MTA in yourcompany.com. The mail relay MTA in yourcompany.com passes the mail to the local MTA in the SMTP server. The local MTA at yourcompany.com delivers the mail to the receiver's mail box.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
VPN or SSL?
Running services over SSL provides encryption and, therefore, confidentiality. Data and passwords do not flow in the clear. Only a few clients and servers provide SSL client authentication. If valid iSeries user IDs
and passwords were compromised, they can be used to remotely access your SSL servers. Secure Sockets Layer (SSL) is in the transport layer (TCP/UDP) and requires changes for
applications. Only those TCP/IP server and client applications written to SSL can use this protocol.
IPSec (for iSeries VPN support) is implemented in the network layer (IP) of the TCP/IP stack.
Network-layer security protocols protect the upper-layer application without requiring modification of the upper-layer applications that use the secure tunnel.
Once a host supports IPSec, all TCP/IP applications are protected without any changes to the application. This provides the virtual network view of the interconnected VPN hosts.
SSL offers more granularity than VPN. With SSL, you can decide to protect only some applications while VPN protects all the traffic between the data endpoints.
When client authentication is supported, SSL authenticates each application with different digital certificates or even the same application (for example HTTP server) with different certificates depending on the server requirements.
VPN authenticates the VPN server.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Single sign-on
o The goal for single sign-on is to let a user authenticate only once to your network and then access multiple applications on different servers without signing on again in the session.
o In a single sign-on environment a user (client) connects to a company’s network and receives an authentication challenge. After successfully logging on to the network, the client is associated with a special Kerberos digital ticket for the duration of the session.
o With Kerberos, when a user requests access to an application on a secured server (say Order Entry on an iSeries), the user’s identity is checked in a central directory to see if he has a valid ID for the requested server. If the ID is found for the user, the digital ticket for that server is retrieved and passed automatically to the iSeries server. The server authenticates the ticket. If it’s validated, the user is given access to the Order Entry application on the iSeries.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Java Web application security APIs
o JNDI – Java Networking and Directory Interface JNDI provides application access to any LDAP-compliant directory in your network.
Your application looks up a resource by name in the LDAP directory.
o JCE – Java Cryptography Extensions Encryption algorithms let you encrypt or decrypt messages using any of the supported
algorithms in the JCE (Java Cryptography Extensions) : RSA, DES, IDEA, MAC and more.
o JAAS – Java Authentication and Authorization This Java package enables an application to authenticate users and grant authorization
to resources. Web application servers such as WebSphere have administration tools that use this support to set up users, groups, roles and authorizations to resources.
o JSSE – Java Secure Sockets Extensions The secure sockets support allows a Java application to directly use SSL/TLS encryption
over a TCP socket. I’m writing an application for a company to check credit automatically over a secure Internet connection. Normally, you’d use TCP applications that do this automatically. Sometimes, you must write an application to do this using this package.
o JGSS – Java Generic Security Services JGSS provides secure messaging between applications using Kerberos V5
authentication and encryption algorithms.
o JCP – Java Certification Path Java applications can build and validate certification paths (chains) on certificates.
There is support for key stores and certificate stores to manage keys and certificates. In the latest release (J2SE v1.4.2), applications can build and analyze certification paths for a certificate.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges E-business security concepts Security services in Java Web environments WebSphere Express security Sample security scenarios Seven steps to securing your e-business solution Resources
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Middleware security features
Dependent on middleware products: LDAP server - Local Directory Access Protocol
o Directory server built in to iSeries for application objects, users
Apache Http Servero IBM Apache HTTP server supporting WebSphere, Tomcat
WebSphereo IBM J2EE application server for Java Web apps (multiple
versions)
Dominoo Application server for document Web serving, Notes apps
Tomcato Open source J2EE application server for Java Web appso Included free with IBM Apache HTTP server
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
WebSphere Express runtime
o Web app servers provide J2EE middle tier 2 support Web applications run in Web container, EJB applications in EJB container Web components = servlets, JSPs, Java beans and other resources in WAR files
browser
wireless
appclient
HTTP Server
Web applicationserver
Java beans - logic, dataJSP -
output pages
servlets - control
Enterprise Java Bean container
5250 apps
server apps
data
Tier 1 Tier 2 Tier 3
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
WebSphere Express v6 features
Server Feature SupportsWeb server plug-in lets WebSphere receive requests for web pages,
servlets, JSPs and EJB from an Http serverApplication server Runs apps that are servlets, JSPs or Enterprise
Java Beans. Manages configurations, directories and security. Track user web sessions, objects
Servlets Servlet 2.2: Run servlets, search, load classes JSP (Java Server Pages) JSP 1.1: dynamically compiling and loading
JSPs as servlets.XML XML docs -- a parser, translator and generator Connection Manager manage database & services connectionsWeb services supports WSDL, SOAP, UDDI services to create,
publish, run web servicesApplication messaging JMS application messages by queue or topic
EJB - Enterprise Java Beans EJBs - Entity, Session and Message Driven beanWebSphere Admin Server Manager
Admin server to run application servers. -- Java console interface or browser interface
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
LDAP features
o The Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs over Transmission Control Protocol/Internet Protocol (TCP/IP).
o LDAP is a directory service with descriptive, attribute-based information.
o The LDAP directory service model is based on entries (also referred to as objects). Each entry consists of one or more attributes, such as a name or address, and a type.
o Types are mnemonic strings, such as cn for common name or mail for e-mail address
o Directory Services, the files are located at /QIBM/UserData/OS400/DirSrv.
o Distinguished names ordered: e.g. is cn=Tim Jones, o=IBM, c=US o = organization, c = class and cn = common name above..
o Relative Distinguished Name (RDN) of the entry. The entry above a given RDN is called its parent Distinguished Name. For example, cn=Tim Jones names the entry, so it is the RDN. o=IBM, c=US is the parent DN for cn=Tim Jones.
o Can import, export entries in ldif format using QShell or use Ops Nav
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
WebSphere security features
o WebSphere (WAS) features IBM's family of WebSphere servers are J2EE-compliant Web application servers. WebSphere version 5 has three iSeries versions: Express, Application Server, Network
Deployment All WAS servers support full J2EE: servlets, JSPs, XML, Web services, EJB, JMS Express v6 is free on new i5 servers – call your IBM rep to find out if you qualify WebSphere security can be set for server instances and customized for applications and
resources.
o WebSphere security The WebSphere security system enables the administrator to define security
policy to establish control of resources. The system provides security services to enforce the policy.
Authentication is the process of verifying that users are who they say they are Authentication generally requires two steps: 1. The user sends to an authentication service (LDAP directory or OS/400 System
Dist Directory) 2. The service validates the information. If valid, the server authenticates user.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
WebSphere security
o Authorization is the process of determining what a user is permitted to do. o Different classes of users and groups are associated with roles, which give
them privileges, such as the ability to Read, Write, or Execute (Run) an appo Security managed through the administration consoleo SSL can be configured for Web applications easilyo "Run As" option - Delegation allows an intermediary to perform a task
initiated by a client under an identity set by the associated security policy.o Use the Application Assembly Tool (AAT) to set the SecurityIdentity value in
the deployment descriptor. Securing applications with WebSphere product security involves:
o Tasks that create a set of policies that define which users have access to which methods or operations in which applications.
o Example: you can establish policies to specify whether the user Jim is permitted to use the company's inventory application to perform a write operation, such as changing the number of units of merchandise recorded in the company's inventory database.
o The security server works with the selected user registry or directory product to enforce the policies
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Express authentication options
o For a WebSphere Express application, you can specify one of several user authentication mechanisms:
Basic authenticationThe realm name is sent from the server to the browser, and the user name and password are sent by the browser as part of the HTTP request
Client certficate authenticationEach client has a valid digital certificate that credentials are sent from over an SSL (Secure Sockets Layer encryption) connection to the server. While very secure, it can be cumbersome to set up for many types of clients
Form authenticationThe values a user supplies for user ID and password are transmitted in clear text as part of the HTTP request. SSL connections are required to ensure this information is secure.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Domino features
o An application server for mail, Notes applications, documents internally and over the Web
o Can plug in into Apache HTTP server (version 6) or Old IBM HTTP server (version 5)
o Premier solution for e-mail, collaborationo Can access iSeries resources via LotuScript or Java
Domino offers VERY fine-grained security and control easily!o Network o Domino servero User authenticationo Databaseo View / Formso Documento Section editoro Hidden paragraphso Edit fields
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Apache HTTP Server
o Open-source HTTP server code from Apache Software Foundation
o "It must be called the HTTP Server (powered by Apache) with the parenthetical phrase as a bold reminder of the power and value of the integration with OS/400."
o Requires 3 LPPs: 5722-DG1 (Http), 5722-JV1 (Java), 5722-TC1 (TCP)
o A Web server to receive HTTP requests, send HTTP responses to clients
o Supports "plug-ins" to handle requests: WebSphere, Tomcat etc
o Has configurable routing rules to process different types of requests
o Is administered thru Ops Nav or browser
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Apache HTTP Server features
o Persistent connections - for a single client between requests for objects
o Virtual hosts - multiple Web sites hosted through one servero Dynamic virtual hosting - adds Web site address, host to HTTP
headerso Proxy caching - faster page response to internal userso SSI - server side includes to process page responses before returningo CGI - calls to CGI programs allowedo LDAP support for directory names, authenticationo Web server search engine - text searches on Web pageso WebDAV - collaboration on documents over the web supportedo Plug-ins supported: Domino, WebSphere, Tomcat, moreo APR - Portable runtime libraries added - ILE service programso TRCTCPAPP command for tracingo FRCA - Fast response cache architecture for cached pageso Clustering of HTTP servers for load balancing
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Apache HTTP Server security
o User authentication - thru LDAP or OS/400, authentication by password or digitial certificates
o Specifiy which profiles are used for which realms (resource pools)
o Access control - configuration controls which resources are served to which users.
o Supports allow, deny directives in order with requires for user for a resource name
o Encryption - SSL supported using a virtual host configuration
o Proxy server - can be a proxy hiding internal addresses, forward, reverse and proxy chains
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Apache Tomcat server security
Tomcat is a J2EE Web application servero Runs Java Web applications well: Servlets 2.3, JSPs 1.2, Java beanso Supports the Web container applications but NOT EJB (Enterprise
Java Beans)o Uses Java toolkit or local Java support to access iSeries objects,
serviceso On iSeries, it's packaged with IBM Apache HTTP Server (5722-DG1)o Configurable through Web browser on HTTP Server administrationo Available for free from www.apache.org for other platforms
Tomcat architectureo Class Loaderso Tomcat 4 installs a variety of class loaders to allow different portions
of the container, and the Web applications running on the container, to have access to different repositories of available classes and resources
o SSL Config - Secure Sockets Layero SSL can be configured in Tomcat by installing JSSE, creating a
certificate key store and configuring SSL in conf/server.xml file.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Tomcat controls
o JNDI Resources - Java Network Directory Interface Tomcat 4 provides a JNDI InitialContext implementation instance to Web applications running
under it. Tomcat applications use JNDI to access directories like LDAP server.
o Manager App - allows a client to control Tomcat processing. Tomcat can be stopped, started using commands. Also deploy and reload an application using
commands.
o Proxy Support Tomcat applications can request proxy access to requester's original server name & port. The Apache HTTP server can operate as a proxy server to Tomcat forwarding requests. This is an option to the normal configuration "plugging" Tomcat in to the HTTP server.
o Realm - a set of users & the roles they have for applications. There are three realms an application can connect to for authentication: JDBCRealm, JNDIRealm,
MemoryRealm
o Security Mgr Tomcat can have a security manager installed to control application access and user access to
resources. Tomcat's security not as tested as WebSphere's.
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges E-business security concepts Security services in Java Web environments WebSphere Express security Sample security scenarios Seven steps to securing your e-business solution Resources
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Sample security scenarios
Web scenario 1: mail, Web browsing, external Web serving
o Assumes a 270 running on a LAN with PC users
Web scenario 2: mail, Web browsing, Web serving, WebFacing
o Assumes a 270 running on a LAN with PC users
Web scenario 3: mail, Web browsing, Wweb serving, o WebFacing, XML, FTP, Web serviceso Assumes a front-end 270 Web server and an application
server 820 running on a LAN with PC users
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Make decisions on how to secure…
.Security option
Access control
Encryption
Authentication
Integrity checking
Address conceal-ment
IP filtering Yes No No No No
NAT Yes No No No Yes
VPN Yes Yes (packet)
Yes (packet) Yes (packet)
Yes
SSL Yes Yes (data) Yes (system/user)
Yes No
Reverse proxy
Yes normally no
Yes (user) Yes Yes
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Simple network
.
iSeriesPC
PC server
Ethernet network running TCPNot connected to InternetiSeries has dial portstandalone pc for ISP access
Primary threatsinternal abuseviruses from Internet files
standalone FTP to ISP
Net router
Internet link
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Web 1: browsing, email
.
iSeries
PC
Net router
Internet link
PC server
Added Internet connection thruiSeries proxy server to router
Primary threatsexternal attacks: DoS etcprivacy on message trafficexposure of internal addressesabuse of TCP applications(ftp, smtp, http)viruses especially for Windows
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Web 1 plan
Provides basic mail services, Web browsing to internal users and allows external users access to an outsourced company Web site
On iSeries:o Simple e-mail using SMTP, POP mail servers, a Web gateway for
internal users, DNS, DHCP for internal clients ISP services:
o Forwards e-mail to iSeries servers, assigns one IP, resolves external DNS queries, has external Web site
Scenario benefits:o One IP address neededo Eliminates need for added security deviceo ISP provides dynamic public IP address for iSeries so internal address
not knowno iSeries only does routing, filtering and mail servingo Internal users protected by iSeries from outside
Scenario risks:o Configuration errors impact securityo Denial of service attack on iSeries gateway
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Web 2: Web site, Web apps, WebFacing
.
iSeries
PC
Net router
Internet link
PC server
Added Domino, Http, Tomcat, WebFacing servers
Primary threatsexternal attacks: DoS etcprivacy on message trafficexposure of internal addressesabuse of TCP applications(ftp, smtp, http)viruses especially for Windowslimited access to IFSsecurity for database, objects, users
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Web 2 plan
Provides browsing, SMTP mail server, WebFacing for browser access to 5250 applications and integrated Web site running Java Web applications in Tomcat
o On iSeries: SMTP server, HTTP server with Tomcat for Web serving, a Web gateway for internal users, DNS,
DHCP for internal clients, WebFacing server, virtual hosts, VPN, NAT, SSL, LDAP
o On ISP: Forwards e-mail to iSeries servers, assigns one IP (one for HTTP server), resolves external DNS
queries
o Scenario benefits One IP address needed: HTTP server, SMTP server ISP provides dynamic public IP addresses for iSeries so internal address not known iSeries does only routing, filtering and mail serving, application serving of all types Internal users protected by iSeries from outside Remote users can also access mail, all applications Internal and remote users have SAME interface to applications (browser) External users can access applications if authorized (WebFacing, mail, Java Web)
o Scenario risks Denial of service attack on iSeries gateway. Availability risk IF SMTP mail relay task not
constrained Requires higher skills to implement internal servers
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Web 3: Add XML, Web services
.iSeriesPC
Net router
Internet link
PC server
Added WebSphere, XML, B2B services
Primary threatsexternal attacks: DoS etcprivacy on message trafficexposure of internal addressesabuse of TCP applications(ftp, smtp, http)viruses especially for Windowslimited access to IFSsecurity for database, objects, users
iSeries
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Web 3 plan
Delivers Web browsing, Domino mail & document server, WebFacing, WebSphere Express for Java web applications, XML content, Web services for B2B connections
o On iSeries: Domino application server, HTTP server with WebSphere Express for Web serving, a Web
gateway for internal users, DNS, DHCP for internal clients, WebFacing server, virtual hosts, VPN, SSL, NAT, LDAP
o On ISP: Forwards e-mail to iSeries servers, assigns two IPs ( one for Domino, one for HTTP server),
resolves external DNS queries
o Scenario benefits Two IP address needed: Domino application server, HTTP server ISP provides dynamic public IP addresses for iSeries, so internal address not known Internal users protected by iSeries from outside Internal and remote users have SAME interface to applications (browser) External users can access applications if authorized (WebFacing, Domino, Java web)
o Scenario risks Denial of service attack on iSeries gateway. Availability risk IF Domino mail router task not
constrained Requires higher skills to implement internal servers, WebSphere partner link needs to be secure
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges E-business security concepts Security services in Java Web environments WebSphere Express security Sample security scenarios Seven steps to securing your e-business solution Resources
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Seven steps to secure your e-business
o Define a clear e-business plano Define potential security threatso Set a security plano Set security policieso Implement security procedures and controlso Monitor security performanceo Audit security performance
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Seven steps (cont)
E-business plan definedo Define e-business objectives and metricso Review help needed for design, implementation, supporto Map existing application services, infrastructureo Set application services needed to meet objectiveso Review implementation alternatives for serviceso Review user access points and methods for serviceso Define infrastructure design for serviceso Define ISP services needed
Security threats definedo What is your environment?o What are your threats?o What is the potential damage from these threats?o How can these threats be controlled?o What are the costs, risks associated with a control method?
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Seven steps (cont)
Security plan definedo What are the business objectives our plan supports?o What areas of security does our plan address?o What are the primary threats our plan mitigates?o What are the strategies for managing security?o What controls do we want?o What are the procedures we want?o What resources do we have/need to control security?o Where do we get relevant security training?
Security policieso What controls do we need for each security layer (network to user)? o What are the security policies we need, given our control strategies?o How do we implement the policies in different tools, software?
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Security policy delivers:
o Guidelines on required and preferred security features of new productso Privacy policy for e-mail, keystrokes recording, files stored on company's mediao Which messages must be displayed, warning users that they might be monitored and
informing them that only authorized access is permittedo An Acceptable Use Policy (AUP) that clearly defines the purposes for which the
company's systems and networks may be usedo Responsibilities of users, IT staff, and management, and how they should handle a
security incidento Which connections are allowed to external networks and systemso What services are permitted from the internal network to the Internet, who is authorized
to access those services, and what restrictions applyo Same as above, but from the Internet to the company's networko How configuration of systems, networks can change and who may change them allo Who’s allowed to access what systems and in which ways they access those systemso How to authenticate users, passwords requirements; local and remote user
authentication guidelineso Availability of resources, performance and how to measure and monitor deviations for
the service levelo Who is authorized to perform maintenance of systems and networkso How to report policy violations, including contact information
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Security procedures and controls
o What security procedures do we need for our control strategies, policies?
o What specific controls are we implementing as part of security procedures?
Sample procedureso Job timeouts without user inputo Session timeouts without user input in Javao Password not equal to user ido Password expirationo Hide internal addresses from external userso Set FTP timeouts for no-activity
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Monitoring and audits
Security monitoringo How do we monitor the effectiveness of security controls, procedures?o Firewall logs for intrusions on IP addresses, etc.o Network traffic logs for TCP on connection and application layer
serviceso iSeries QHSTo iSeries Joblogso Disabled user profileso Password controlso Object access logs for invalid authorizations
Security audito How do we audit the effectiveness of security controls, procedures?o What are the highest impact security exposures to audit?
Who audits and how?o Big 5 accounting firms traditionally have real technology challenges to
faceo IBM services -- can they really audit themselves?
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Key security points
o Review your security plan, issues, challenges by layero Get good outside help to plan, review e-business security
Use iSeries ONLY business partners versus standard e-business providers Don't ask one expert (even IBM), get a second and third opinion even if you have to
pay
o Coordinate with ISP security services neededo Focus on common security models based on standards
Avoid "custom" solutions vs. standard solutions that can be customized
o Balance security exposure impact to plans and resultso Leverage iSeries security runtime built-in free!o Check resources for more details on specific areas
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Secure iSeries Web Apps Agenda
Your security challenges E-business security concepts Security services in Java Web environments WebSphere Express security Sample security scenarios Seven steps to securing your e-business solution Resources
ebt-now QuickWebWorkshop Copyright ebt-now, 2004. All rights reserved.
Resources
IBM iSeries Web siteo http://www.ibm.com/software/ad/wds400/
IBM WebSphere Web siteo http://java.sun.com/
Search400.com Web siteo www.search400.com
Apache software organization for open source softwareo http://www.apache.org/
iSeries security advisoro http://www.redbooks.ibm.com/tstudio/secure1/advisor/
secwiz.htm