1) Performance. XML processing takes up significant CPU resources. So does cryptography. Together, XML Decryption creates a "perfect storm" of CPU usage.
2) Key generation and key management. It can be very tricky indeed to generate cryptographic keys and then to store them safely on hardware.
The good news is that XML Gateways address both issues. They are high-performance, and they typically include hardware for key storage. Vordel's XML Gateway also includes a simple tool for generating certificates and private keys.
We are going to setup a demo whereby a client encrypts part of an XML message using a public key, and then an XML Gateway decrypts the encrypted data using the corresponding private key. This is shown in the schematic below:
To set this up, the first thing you need to run this demo is a copy of the SOAPbox testing tool and a copy of the Vordel XML Gateway (grab a XML Gateway evaluation here). We are going to use the Policy Studio to generate the keys.
The high-level steps are:
Step 1) Create the public and private keys in Policy Studio, then export them.
Step 2) Import the keys into the SOAPbox
Step 3) Create the XML Decryption policy in Policy Studio
Step 4) Perform the Encryption in SOAPbox and send the encrypted message to the XML Gateway, where it is decrypted.
Let's get started...
Step 1 - Creating the certificate and private key.
For this demo, we are going to create a self-signed certificate. In a real deployment scenario, of course, you would use a certificate from a trusted CA such as VeriSign, or a corporate CA.
In Policy Studio, open the Certificates configuration by clicking on “Certificates” on the left-hand side:
Press “Edit” beside the “Subject” and enter details. You only need to enter the Common Name and Company Name. Then press “Sign Certificate” and choose “Self-Sign” in order to create the private key also. You can choose “Use Distinguished Name” for the name of the certificate, used to identify it later.
Now press on “Export Certificate and Key”. Choose the “PEM” format. Enter a password, and remember the password because you will need it later
2) Importing Certificate into SOAPbox
In SOAPbox choose “Security “ from the menu, then “View Certificates”.
Press on “Create” and then “Import certificate+key”. Load in the certificate file (“PEM” file) which you created in the previous step (note: strictly speaking we only need the public key for this demo, as we're only doing XML Encryption on the client. If you want to follow on and do XML Signature on the client, you'll need the private key. Note also that if you use an XML Gateway appliance, then key exporting is highly controlled).
3) Configuring the XML Decryption policy in Policy Studio
Back in Policy Studio, right-click on the policies and choose “Add Policy”.
Give the policy a name:
Drag an “XML Decryption Settings” filter from the right-hand-side onto the policy canvas. You can find it under the “Encyption” group.
Enter the settings “Decrypt all” and “Find via KeyInfo in message”, as shown below:
Now, right-click on the “XML Decryption Settings” filter and choose “Set as start”.
We want to echo the decrypted message back to the client (i.e. back to SOAPbox). So we now add a “Reflect” filter at the end of our policy. This is to be found under the “Utility” group. The policy now looks like this:
Now, at the “XML Gateway” level, right-click and choose “Add Relative Path”, as shown below:
Create a path called “/decryption” and map it to the policy you just created.
Be sure to press F5 to push the updated policies put to the XML Gateway. If you are using Policy Director then you must have deploy privileges for that XML Gateway.
4) Seeing XML Decryption in action with SOAPbox
Finally we perform the Encryption in SOAPbox and send the encrypted message to the XML Gateway, where it is decrypted.
In SOAPbox, using the “Classic Mode”:
In the SOAPbox screenshot below, you can see the encrypted data in the left-hand (outbound) side. Press “Send Request”. We now see the message being sent to the decryption Web Service. In the response, on the right-hand-side, the data is decrypted:
That is all there is to setting up XML Decryption using SOAPbox, the Policy Studio, and the Vordel XML Gateway.
2 comments:
Thanks for the article!!
I´ve been thinking about this kind of uses for a time and, for me, there is one unsolvable problem: If XML gateway does the unencryption, aren´t we broking the so important need about end-to-end security?
Thanks for your advice.
Hi Fidel
That's a very good question. The advantages of doing XML Decryption on the XML Gateway are that:
(1) You are storing the private key in hardware (and not in a keystore on the file system as is the usual practice at a Web Service host),
(2) you get better performance than you would at the Web Service host, and:
(3) You can configure the XML Decryption based on a centralized policy, independent of the Web Service host.
*BUT*, as you point out, you still have to think about the end-to-end security. Because you have to answer the question: "What about the connection from the XML Gateway to the Web Service host?".
You have a number of options for this. You can:
(a) Setup a mutually authenticated (and encrypted) SSL connection between the XML Gateway and the Web Service host. This has the advantage of being fast (hardware acceleration is only required for the session negotiation part of SSL, and once the session is established, it's fast). In this way, no attacker can connect directly to the Web Service, and the only client which can connect to the Web Service is the XML Gateway itself (which stores its private keys on hardware, so nobody can impersonate it). This is simple to configure on all Web Services platforms, and you have only one "user" (the XML Gateway) to manage. I have set this architecture up myself in customers where the Vordel XML Gateway sits in front of SAP Netweaver.
Or you can:
(b) Run a software XML Gateway right on the Web Service host itself [i.e. at the "Last Mile"].
Or, similarly:
(c) deploy an agent embedded into the Web Service endpoint host itself, at the last mile (such as the agents provided by Vordel's partners CA and Oracle).
This is a great question. I think it deserves a blog post answer of its own! Look out for such a post on this blog soon....
Post a Comment