SSL + WS-Security = Web Service Security

ArticleDirectory

• What is SSL
• Software SSL practices
• Hardware SSL Structure Design

Recently, a third-party web service using SSL is needed in the project, so I learned about SSL and Web Service temporarily. on the one hand, this article is of great help to me. The author writes well and makes it clear from the principle. Because I have reproduced it, I will analyze it with you on the one hand to facilitate future study.

(Original address: http://cenwenchu.javaeye.com/blog/316729)

I read the blog message this morning and found that a friend gave me a message saying that he is studying SCA and is also confused. In the case of Heterogeneous Distributed Environments, whether or not the SCA specification is used for implementation, Web services are used to complete service-oriented service calls. SCA has no advantages at all. In fact, this is a misunderstanding. The SCA framework specification is not a specific business scenario to address the implementation specification. It is a framework structural specification, and its essence mainly lies in: 1. promote abstraction and encapsulation from objects to business component Module 2. the scalability of the Framework (that is, it is easy to expand because there is no implementation constraint ). Of course, the benefits brought by these two points are that, under such a refined framework Core Specification, they constantly integrate various good external technologies and ideas, just like the most important feature of web, it standardizes interfaces (for unified interaction management) and opens any contribution under interfaces, active participation and active integration will make the framework more and more dynamic. Spring is a good example. The differences between SCA and spring have also been mentioned in the previous article. SCA is not just like other standards, but is the product of accumulation in past failures. Finally, for example, the SCA specification is like a recipe. As for what kind of pot is used, all the materials produced by the chefs are controlled by the chefs.ProgramMembers need to work together to drive the practice of this standard. Correct and correct actions are the two key points to success or failure. Let's get down to the truth and continue with this topic.

In the previous service framework work, Web Service support has become the focus of this period, from the initial stress testing, Java client compatibility testing. net, PHP client compatibility testing, WS-Security integration, and service framework support for Web services are gradually enhanced. The first phase of AEP is basically ready to go online. The second phase of AEP is also in progress, and the second phase of ASF's functional requirements are gradually raised. One aspect seems to have a higher priority, so I started to do it first, that is, SSL. At the beginning, I had some misunderstandings about the SSL requirements. I thought it was for the Web server. What we need to do is the hardware SSL, the "first rack" means preparing for the client call in SSL mode (indeed, the client must do some work in both hardware and software mode ). In the future, I will talk about how to integrate the Web server SSL platform and how to communicate with SA experts about the hardware SSL architecture strategy.

What is SSL

Although I have heard about SSL before, I often see that ie suddenly jumps out a security prompt box, but I have not carefully read the specific principle and structure of SSL. Now that we have to use the principle, we should first clarify the principle and then practice it.

SSL (Secure Socket Layer) is a communication and interaction protocol established by Netscape in 1994. It aims to ensure data transmission security between web servers and browsers. The SSL protocol layer is between the TCP/IP layer and the application layer. Currently, TLS (Transport Layer Security) is gradually replacing SSL (Latest Version V3 ).

The SSL protocol is divided into the following parts:

Record protocal is the basic layer of SSL. All upper-layer operations of SSL are based on this layer. This layer is mainly responsible for operations such as message content segmentation, compression, encryption, and digital summarization.

Handshake protocal is the handshake protocol, which is also the process standard protocol for both parties to exchange encryption settings and authentication before the formal application of data transmission.

Change cipher spec protocol is a protocol that notifies the remote server to modify the security settings in the record protocol layer based on the record protocol layer.

Alert protocol is a protocol that sends warnings to remote servers based on the record protocol.

The specific flowchart of SSL:

The SSL process also reflects the use of symmetric and asymmetric keys. Because symmetric key encryption is 1000 times faster than asymmetric key encryption, symmetric keys are used to encrypt content, non-symmetric keys are used to encrypt symmetric keys.

The server must have a certificate with the server ID and public key/private key pair. In the handshake process, the server extracts the certificate with the public key and sends it to the client. The client can first determine whether the certificate issuer belongs to the trusted CA of the Local Machine. If not, this is similar to the IE bounce prompt. If you pass this CA authentication, both parties can pass asymmetric encryption.AlgorithmTo exchange the temporary symmetric password generated by the client for security encryption information interaction.

Software SSL practices

Because all unit tests currently use the ASF template class provided by me, The started Web Service is a Web Service released by Jetty in the service framework. It is lightweight and not complex to test web applications in the past, you do not need to start a Web container. In the early stage, the integration of WS-Security has enabled unit testing to Support Testing of Web Services with WS-Security.

With a try, I directly released the SSL Web service using the service framework. After the client calls it, it fails, but the error still cannot be identified as a client or server, therefore, Tomcat is configured externally to create an SSL server.

Tomcat SSL server configuration: (only one file CONF/server. xml needs to be modified)

<Connector Port = "8443" maxhttpheadersize = "8192"

Maxthreads = "150" minsparethreads = "25" maxsparethreads = "75"

Enablelookups = "false" disableuploadtimeout = "true"

Acceptcount = "100" Scheme = "HTTPS" secure = "true"

Clientauth = "false" sslprotocol = "TLS" keystorefile = "D:/work/ASF/WebService/src/CONF. Test/keys/alisoft. jks"

Keystorepass = "alisoft" keystoretype = "jks" truststorefile = "D:/work/ASF/WebService/src/CONF. Test/keys/alisoft. jks"

Truststorepass = "alisoft" truststoretype = "jks"/>

Clientauth does not need to be set to true, and authentication is not required again. If this value is set to false. The other values are the location and password of the server certificate library generated. Note that the keystore password is the same as the private key password, because there is only one place to configure the password, which is the same when the public key pair is generated. In this way, you can directly access port 8443 as HTTPS to access the service.

XfireThe client performs unit tests,CodeAs follows:

Public static void sslsecuritytest ()

{

Service servicemodel = new objectservicefactory (). Create (iaccountservice. Class );

// The client code for HTTPS needs to be added

System. setproperty ("Java. Protocol. handler. pkgs", "com.sun.net. SSL. Internal. www. Protocol ");

System. setproperty ("javax.net. SSL. keystore", "d:/work/ASF/WebService/src/CONF. Test/keys/myisvdemo. jks ");

System. setproperty ("javax.net. SSL. keystorepassword", "myisvdemo ");

System. setproperty ("javax.net. SSL. truststore", "d:/work/ASF/WebService/src/CONF. Test/keys/myisvdemo. jks ");

System. setproperty ("javax.net. SSL. truststorepassword", "myisvdemo ");

System. setproperty ("Java. Protocol. handler. pkgs", "com.sun.net. SSL. Internal. www. Protocol ");

Security. addprovider (New com.sun.net. SSL. Internal. SSL. provider ());

String serviceurl = "http: // localhost: 8080/axis2/services/accountservice ";

String servicehttpsurl = "https: /localhost: 8443/xfire/services/accountservice ";

String servicehttpsurl2 = "https: // localhost: 8443/axis2/services/accountservice ";

Try

{

Iaccountservice service = (iaccountservice) servicefactory. Create (servicemodel, servicehttpsurl2 );

// WS-Security Configuration

Client client = (xfireproxy) proxy. getinvocationhandler (Service). getclient ();

Client. addouthandler (New domouthandler ());

Properties Properties = new properties ();

Properties. setproperty (wshandlerconstants. enable_signature_confirmation, "false ");

Properties. setproperty (wshandlerconstants. Action, wshandlerconstants. signature );

// Properties. setproperty (wshandlerconstants. Action, wshandlerconstants. timestamp );

Properties. setproperty (wshandlerconstants. sig_prop_file, "keys/client. properties ");

// Properties. setproperty (wshandlerconstants. User, "myisvdemo ");

Properties. setproperty (wshandlerconstants. User, "wenchu ");

Properties. setproperty (wshandlerconstants. pw_callback_class, clientutpasswordhander. Class. getname ());

// Properties. setproperty (wshandlerconstants. sig_key_id, "issuerserial"); // "directreference", "issuerserial", "skikeyidentifier"

Properties. setproperty (wshandlerconstants. sig_key_id, "skikeyidentifier ");

Client. addouthandler (New wss4jouthandler (properties ));

Accountbean [] result = service. getuseraccountlist ("te", "ta ");

System. Out. println (result. Length );

}

Catch (exception ex) {ex. printstacktrace ();}

}

This ensures that the client configuration is no longer correct, so SSL in the ASF framework is mainly integrated. Because Jetty is integrated in ASF, you only need to construct the ssing server in the sslsocketconnector type when jetty dynamically establishes the mapping server. In this way, you can respond to the HTTPS part, it can also be published on other ports as a service that does not require SSL. The details are omitted here. The transformation is not very complicated. You only need to know jetty better. But here I would like to like jetty, which is really a lightweight good thing. After integration, perform unit test again. OK. The test passes.

. Net client Test

Finally, you need. net SSL test, due. net client has configured the policy as the WS-Security Configuration last time. According to common sense, it should be unnecessary to configure certificates and other things, when creating a Web reference, you will be prompted that the certificate authorization authentication does not meet the identity of the address to be accessed. This can be ignored. Then, after the test, we will always prompt that the TLS/SSL interaction channel cannot be established. To check the channel, just add the following sentence:

System. net. servicepointmanager. servercertificatevalidationcallback = delegate {return true ;};

It is used to accept all certificates. In our SSL process, it is omitted to check whether the certificate CA is trusted, just like when we visit a website without a letter of trust, we click OK in the prompt box.

So far, the SSL configuration and testing of the application server have basically ended. The structure and design of hardware SSL will be discussed later.

Hardware SSL Structure Design

First of all, why should we use SSL for encryption? We can simply use WS-Security, and WS-Security has many features that cannot be achieved by SSL (not based on the transport layer, ensure non-point-to-point secure transmission, partial encryption, and so on ). However, in the previous stress test, we can see that encryption has not been used, but the CPU consumption of the signature server has increased exponentially, which shows the impact on performance. At the same time, the application server SSL mentioned above is actually similar to WS-Security, which consumes a lot. Therefore, the design of hardware SSL is proposed.

Here we mainly mention two types, and the second one is also recommended by SA.

I. add an independent SSL accelerator card for the application server, such as the roadcom cryptonetxm card. The SSL accelerator card is used to independently process the SSL processing work of the application server, allowing the application server to focus on processing application requests, the performance of the application server is not affected.

Figure SSL accelerator card deployment

Because many servers use different encrypted data, managing such a web server group is costly and complex. At the same time, each encrypted server in the traditional Server Load balancer array requires an SSL accelerator card and digital certificate, and the certificate is an electronic authentication identifier signed by the CA, consistency Verification is provided for encrypted communication. Therefore, the management of CA electronic authentication marks is also very complicated. Therefore, a second design mode is created.

2. Combine SSL infrastructure with BIG-IP

BIG-IP is a server that runs the BIG-IP load balancing software. It implements SSL off-loading through the SSL accelerator card, and can also achieve load balancing at the application layer and IP layer. With SSL termination, the front-end BIG-IP is responsible for centralized SSL processing and balancing the processed request load to each application server, which reduces the cost of SSL Certificate Management, it also reduces the complexity of managing web server groups.

<End>