Wednesday, August 24, 2011

Live from 36000 Feet - How to deploy the Vordel Gateway in Multiple Environments


First of all, a quick acknowledgement of my lack of blogging. Life at Vordel has been really fast paced, and I've been traveling the country working on a lot of interesting use cases with some really great customers. I'm flying from San Diego to San Francisco, and this flight has WiFi, so I guess I'm out of excuses.

A quick note on feature that was added in 6.0.3 - envSettings.properties. This is the ability to externalize attribute values in the gateway's per environment. The file can be found in the $VINSTDIR\conf directory. The text below, from the file explains how to use it.
# This file is read when the server starts up. If a server configuratio
n contains a value in the format
# ${env.X}, where X is any string (for example, MyCustomSetting), this file MUST contain an equivalent
# name-value pair of env.MyCustomSetting=MyCustomValue.
# When the server starts up, every occurrence of env.MyCustomSetting is expanded to the value of MyCustomValue.
# For example, if a port in the server configuration is set to ${env.LISTENER_PORT}, specifying a name-value
# pair of env.LISTENER_PORT=8080 results in the server opening up port 8080 at start up.
env.LISTENER_PORT=8080

Here we see the corresponding configuration in the Policy Studio


This is a very simple. but powerful approach for configuring the gateway to work across environments. It also aligns nicely with most enterprises existing approach for moving configurations among environments.

Looks like I forgot to charge my battery, and no AC power on the flight, so this is going to have to be a short post :)

Friday, April 22, 2011

Finalized Agenda for First Meeting of the Boston Chapter of CSA - NOTE: NEW LOCATION

I've got the agenda for the first meeting of the Boston Chapter of the Cloud Security Alliance.

When: Wednesday April 27, 2011 - 6:00 PM - 7:30 PM
Where: CA Offices in Framingham, MA
Agenda: Two presentations, each with their own unique and insightful perspectives on the topic of cloud security.

Presentation #1: Cloud Computing Risks

Speaker Bio:

Bhargav Shah is a Director within KPMG Advisory practice. He has over 12 years of experience as a trusted advisor to C-level and Senior IT leadership having led multiple engagements in Outsourcing, Cloud Computing, IT Solution Delivery/Application Development, Process Engineering, and IT Services Management. Mr. Shah regularly speaks at conferences and IT leadership forums on various topics related to Outsourcing and Cloud Computing. He also leads KPMG’s solution development initiatives related to IT implications of cloud computing.

Abstract:

As the paradigms of technology consumption change, cloud computing is at the forefront of an IT transformation providing infrastructure, platforms, and software as services to the business. While some call it a technology fad, the pervasive buzz around cloud computing is here to stay. Cloud computing provides many benefits but introduces just as many risks. Successful organizations must understand and mitigate these risks to get more out of their cloud computing initiatives.

In this session, Bhargav Shah will share his insights on the types of risk you need to be aware of while utilizing cloud computing, how they vary by cloud model you use (Public vs. Private) and what controls you can consider to mitigate some of these risks associated with cloud computing.


Presentation #2: Cloud Computing and it’s impact of Identity & Access Management (IAM) Infrastructure

Speaker Bio:

Robert Levine brings more than 25 years of technology management experience to SENA Systems that includes significant customer and vendor side enterprise software and knowledge. Robert has served as SENA’s President & CEO since 2001 and with the SENA management team has overseen its growth in the US, Europe, Asia and the India operations center as well as its merger in March of 2008 with aurionPro Solutions LTD. Robert presently holds the position of President of aurionPro Solutions Inc as well as the head of the SENA Systems business unit. Prior to joining SENA Systems, Robert worked for Venture Consulting Group, Inc. a provider of management services to early stage and restructuring companies, as a strategic business advisor to both public and private companies.

Robert previously served as the VP of Business Development for Transindigo, a startup e-infrastructure company providing mission critical solutions for securely managing transactional entitlements and authorizations that was sold to RSA. Robert also served as the co-concept originator, interim CEO and technical advisor to Transindigo prior to its launch in January 2000. Prior to Transindigo, Robert served as Managing Director, Deutsche Bank Strategic Ventures and as Managing Director in Bankers Trust's Technology and Operations Group where he was a member of the management team responsible for Global Technology Infrastructure. Robert served on the board of IQ Financial, a global software supplier of front, middle and back-office financial services technology selling to global financial firms that was later sold to Misys. He also served as the technical advisory board of mFormation a wireless network management products and services company. Robert was a founding member and Vice President of SIMC, a nonprofit organization, that focused on advancing the capabilities of middleware in the financial services industry. Robert is a strong believer of community service and currently serves in a Line Officer capacity as Sergeant of his local community EMS Rescue Squad

Abstract:

No conference, seminar or a CXO level technology roadmap meeting today is complete withouta discussion on Cloud Computing. Every organization is asking the question – how could, would and should cloud computing impact or influence their plans related to IAM.


In SENA’ talk on Cloud Computing we will discuss the following considerations:

· Two Fold impact of Cloud Computing on IAM Services

o Protecting cloud based applications with should IAM Services.

o Providing IAM Services over a Cloud infrastructure.

· IAM Infrastructure

o Considerations related to Software as a Service, Platform as a Service and Infrastructure as a Service including SENA’s plans regarding such offerings.

o Differentiating the advantages and challenges related to

§ Identity Management

§ Access Management

· A frank assessment of where the security industry is with regards to Cloud offerings.

Monday, March 21, 2011

Call for Speakers - First Meeting of the Boston CSA Chapter - April 27 6:00 @ Oracle Offices in Burlignton

I'm happy to announce that we're going to have our first meeting of the Boston Chapter of the Cloud Security Alliance on Wednesday, April 27th at 6:00 at the Oracle office in Burlington, MA.

The topic for this meeting is Cloud Security Architecture. We wanted to cover both the conceptual (NIST, CSA Reference Architecture, etc) and the practical - real world examples of what people are using/deploying in their environments. The agenda will be something like this:

6:00 - 6:15 Introductions
6:15 - 6:45 Presentation 1 - Cloud Security Architecture - Conceptual
6:45 - 7:15 Break/Networking Session
7:15 - 7:45 Presentation 2 - Cloud Security Architecture - Practical/Use Case
7:45 - 8:00 Closing

We're looking for speakers on both the abstract notion of "What is Cloud Security Architecture?" and a more practical hands on use-case driven view of the topic. If you are interested in speaking or participating in a round-table type discussion, please send me which topic you're interested in presenting, and speaker's BIO (linkedin profile). Please send this to me (josh.bregman@vordel.com) by Thursday, March 31st.

Looking forward to a great first session.

Friday, March 4, 2011

Minutes from the Boston Chapter of the CSA's first Board Meeting

After many scheduling challenges, we had our first CSA Boston Chapter Board Meeting. The "Board" consists of me (Vordel), Prateek Mishra (Oracle),Matthew Gardiner (CA), and Kevin Fox (Cisco). A really good session for planning out the year. Here's the basic thinking:

- Divide the CSA guidance into 4 units and have 1 meeting focused around each unit
- The events will be about 2 hours - 1 hour on high-level information contained in the CSA guidance and 1 hour on a lower level details of someone who is actually living/implementing the scenario
- We'll rotate the location among CA, Oracle and Cisco locations - basically 128/495

The next steps are to have Matt, since it was his idea, to group the domains into the four meeting "buckets", and for us to meet again in two weeks to start the planning of the 1st meeting - targeted for some time in April.

Once we get the meeting "themes" worked out, we'll be publishing them with some tentative dates, and we'll be issuing a pseudo "call for speakers". Ultimately we're looking to have some really interesting speakers and presentations that are worth the trip - but for that to happen we'll need everyone's help. Ping any of the board members if you have a topic to suggest (aligned with the CSA Guidance) or a speaker that you think would be good.

We're also open to any other suggestions/guidance that people may have, so don't hesitate to speak up.

Wednesday, March 2, 2011

How to turn an XML Gateway into a Maven Repository

I've made some real progress on the Maven integration with the Vordel XML Gateway. I've updated the incubator with the latest set of policies. These policies provide two main features:


  • The ability to download the Gateway libraries as dependencies directly from the gateway
  • The ability to deploy Maven artifacts to the gateway


Exposing the libraries of the Gateway as POMs


One of the main challenges in getting a technology like the gateway that isn't built using Maven into the Maven world is the mapping of jars to POMs. As I showed previously, you can do this, but its a manual process. You could automate it with ANT tasks, but its still tricky. I encountered this problem before when I was trying a similar exercise with Oracle Entitlements Server. For that I wrote a bunch of custom code and deployed it as a WAR to the OES Admin Server. Not bad, but with the gateway it was even simpler.

Basically I used the static content service to point to the directories on gateway, and then used a policy to handle a view of the subtleties - we only have MD5 checksums, POMs need to get generated since we don't have them, some of the mappings for the org.eclipse libraries are irregular. For the main case, retrieving the jar, I'm just manipulating the http.request.uri property and passing it to the static content service. Magically, it returns the POM, the JAR, and the MD5 checksum of the JAR. I also used a cool feature new to 6.0.3 - the ${env.xxx} capabilities. You can use this namespace from inside of a policy, and the gateway will resolve the value based on the envSettings.props file. I used this to specify the values of the location of the gateway in my environment


env.maven.gateway.path=c:\\Users\\jbregman\\Documents\\products\\xml gateway\\vordelgateway\\system\\lib
env.maven.policystudio.path=c:\\Users\\jbregman\\Documents\\products\\xml gateway\\policystudio\\plugins
env.maven.repo2.path=c:\\Users\\jbregman\\repo2


In order to take advantage of my gateway as a repository, I modified the parent POM of the sample-filter, to include:

<repositories>
<repository>
<id>vordelgateway</id>
<url>http://localhost:9090/repo</url>
</repository>
</repositories>


This means that when its looking for the dependencies, it will check the gateway, and they will be downloaded to your local repository so you can compile. Maven supports SSL and Basic Authentication, so these things could easily be added to both the Maven configuration as well as applied to the Maven policies running on the gateway.

Deploying Maven Artifacts to the Gateway


The first question is "Why would you want to do that?". One use case that I'm working on is for custom filters. Once the jar is built, it needs to be copied to the gateway's lib directory, so this is the foundation for that. I'm not there yet - need to do something with the file once its there, but I like the simplicity of using the mvn deploy task to push the artifact to the gateway for me. Ultimately my goal is to package up all of the dependent artifacts and push/deploy them to the gateway.

The policies for this one were a little more complicated because the static content service only gets me so far - it doesn't handle HTTP PUT requests- which is what Maven uses to push the files to the server. No problem - I simply used the Save to File filter - to store the file on disk. Again, I used the ${env.xxx} to define the location on disk for the repository.

In order for projects to take advantage of this capability, I again modified the parent POM:


<distributionManagement>
<repository>
<id>dev-integration-gateway</id>
<name>Dev Integration Gateway</name>
<url>http://localhost:9090/repo2</url>
</repository>
<snapshotRepository>
<id>dev-integration-snapshot-gateway</id>
<name>Dev Integration Gateway</name>
<url>http://localhost:9090/repo2</url>
</snapshotRepository>
</distributionManagement>


This means than when you run mvn deploy the artifact can be pushed and stored on the gateway. Presumably, in addition to just deploying the file, other actions could be taken - synchronously or asynchronously.

Implications for the SDLC


Notice that in the parent POM, there is the same server (localhost) referenced both times. I put the two separate repositories on different relative paths to simplify the implementation, but in practice these repositories are likely to be on separate instances. The idea is that a developer working on a sandbox instance can download the libraries to their local repository, develop the component and then deploy it to the dev-integration-gateway. The thinking here is that this gateway is the first managed gateway. The gateway's configuration is then pushed using the policy directory from the dev-integration gateway to QA. Getting all of this to work end-to-end using Maven is the goal of Maven Integration project on the incubator.

If you like where this is headed, get involved, join the incubator at cloudservicebroker.googlecode.com.

Thursday, February 24, 2011

REST API for message level and system level metrics for the XML Gateway

In my first few weeks at Vordel, I've been spending a lot of time on the "cool" part of the product - building circuits and policies. As a developer, I really enjoy (am amazed) at how quickly you can know things out. But this is a job after all, so I also have to spend time coming up to speed on some of the less "glamorous" yet really important and valuable features of the product.

I've started to look at the various administrative interfaces in the product and see what makes them tick. One really powerful feature of the Vordel XML Gateway is its out-of-the-box real time monitoring capabilities. The application itself is a Flash app that displays all of the details of the usage of the gateway - successful messages, blocked messages, failed messages - traffic to various remote hosts.

One thing that it also has is the system utilization - memory and CPU. This is really nice because you can get both the message (application level) and system-level information from a single source. This makes the task of integrating this information into an enterprise operations system much simpler. But how do you get at the information. Simple, http://gateway:8090/metrics



Notice that I'm just accessing the URL form a browser and you can see both the system information, as well as all of the statistics for the messages.

This is the same URL that the flash application accesses to retrieve the information in the real time monitor. The URL is protected with HTTP Basic authentication (all of the admin services are out of the box) so access is restricted as well as audited. Now that you know that the REST API is available, you can integrate this information into your environment.

Tuesday, February 22, 2011

How to Use an XML Gateway with an Asynchronous Web Service using WS-Addressing


In general synchronous web-services are simpler and more common than asynchronous web services. I like them, because for 99% of cases, the security can be done at the transport level using 2-way SSL. Asynchronous web-services introduce additional security challenges - mainly that messages are likely to be in memory or on disk where the transport is not there to keep the contents of the message secure. The purpose of this post is not to explore the security challenges of using asynchronous web-services, but another complexity - proper handling of web-services callbacks through an intermediary.

One of the main uses of an XML gateway is to encapsulate the end-point of the actual service from the caller. This approach is aligned with SOA best practices, but from a security perspective not letting people know where your service actual lives is a really good idea. This principal can also apply in the callback use case - we may want to hide the location of callback URL from the actual service - let's for the sake of this discussion consider it need to know. The end service can just callback to the gateway, and the gateway will deliver the message back to its appropriate destination.

Now assuming that we're not passing the location of the callback - in WS-Addressing this is called the wsa:ReplyTo address - then when the gateway finally receives the response, how does it know where to send the message? To solve this problem, the gateway needs to create a cache of replyTo URLs keyed off of the messageId. Each request has a wsa:MessageId. When the server sends its reply, the original message id is reference in the wsa:RelatesTo header. This way the gateway can correlate the request with the response.

Understanding the Example
I've created an example project that demonstrates how the gateway works in the above scenario. I'm using the gateway to play the role of 3 different use case actors - client, gateway, and server.


  • Client - SOAPBox is sending the initial request to the service. I created an HTTP service listening on port 11000 to serve as the destination of the final wsa:ReplyTo.
  • Gateway - When the service gets invoked, the gateway stores the wsa:ReplyTo in a cache (keyed by the wsa:MessageId) and modifies the wsa:ReplyTo and wsa:To fields accordingly. In the callback service, the gateway retrieves the original wsa:ReplyTo from the cache (pulling the key from the wsa:RelatedTo) field, and sends the request to the original wsa:ReplyTo
  • Server - This is just using the gateway to simulate the back end server. When it receives the message, it simply sticks the file on disk. The gateway has a directory scanner configured. Directory Scanner is the ability for the gateway to process files sitting on the file system. When the Directory Scanner finds a file, it modifies the response (read: appends "Hello" to the message) and then sends it to the address in the wsa:ReplyTo which is the gateway.
You can see what an end-to-end flow looks like in the Real Time Monitor

The Gateway Policy Details
The example contains policies for all three roles.


I wanted to spend some time here to review in a little more detail the gateway and what it does when it processes the request, and handles the callback. When the request arrives, the original message looks something like this:


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<soap:Header>
<wsa:MessageID>uuid:6B29FC40-CA47-1067-B31D-00DD010662DA</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://localhost:11000/callback</wsa:Address>
</wsa:ReplyTo>
<wsa:To>http://localhost:12000/SoapContext/SoapGreeterPort</wsa:To>
<wsa:Action>Greet</wsa:Action>
</soap:Header>
<soap:Body>
<x1:greetMeOneWay xmlns:x1="http://apache.org/hello_world_soap_http/types">
<!-- Element must appear exactly once -->
<x1:requestType>Asynch Client using WS-Addressing</x1:requestType>
</x1:greetMeOneWay>
</soap:Body>
</soap:Envelope>


The message gets picked up and processed by the following policy:



I'm using policy shortcuts to encapsulate all of the details, but you get the basic idea. The message leaving the gateway has been transformed to have the gateway address in the wsa:ReplyTo and the server's address in the wsa:To. This is the resulting message sent to the server.


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<soap:Header>
<wsa:MessageID>uuid:6B29FC40-CA47-1067-B31D-00DD010662DA</wsa:MessageID>


<wsa:Action>Greet</wsa:Action>
<wsa:ReplyTo>
<wsa:Address>http://localhost:12000/SoapContext/GreetCallbackSoapPort</wsa:Address>
</wsa:ReplyTo><wsa:To>http://localhost:13000/SoapContext/SoapGreeterPort</wsa:To></soap:Header>
<soap:Body>
<x1:greetMeOneWay xmlns:x1="http://apache.org/hello_world_soap_http/types">
<!-- Element must appear exactly once -->
<x1:requestType>Asynch Client using WS-Addressing</x1:requestType>
</x1:greetMeOneWay>
</soap:Body>
</soap:Envelope>


So when the reply comes back from the server, and arrives back at the gateway, it has a new wsa:messageId, but the original messageId is available in the wsa:RelatesTo header.


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsa:Action
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<wsa:MessageID
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
uuid:Id-0000012e5303f409-0000000000a96fd2-2
</wsa:MessageID>
<wsa:RelatesTo
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
uuid:6B29FC40-CA47-1067-B31D-00DD010662DA
</wsa:RelatesTo>
<wsa:To xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
http://localhost:12000/SoapContext/GreetCallbackSoapPort
</wsa:To>
</soap:Header>
<soap:Body>
<x1:greetMeResponse
xmlns:x1="http://apache.org/hello_world_soap_http/types">
<!-- Element must appear exactly once -->
<x1:responseType>
Hello Asynch Client using WS-Addressing
</x1:responseType>
</x1:greetMeResponse>
</soap:Body>
</soap:Envelope>


The callback policy then picks this message up and applies the following filters:




This is the basic caching pattern used by the gateway. The cache's key is the wsa:messageId set by the incoming request. This can then be retrieved from the cache by pulling the wsa:RealtesTo messageId. The resulting URL is then set as the destination (wsa:To) of the response, and the reply is sent. The final message looks like this:


<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsa:Action
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" />
<wsa:MessageID
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
uuid:Id-0000012e53675a57-0000000001f76db2-18
</wsa:MessageID>
<wsa:RelatesTo
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
uuid:6B29FC40-CA47-1067-B31D-00DD010662DA
</wsa:RelatesTo>
<wsa:To xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
http://localhost:11000/callback
</wsa:To>
</soap:Header>
<soap:Body>
<x1:greetMeResponse
xmlns:x1="http://apache.org/hello_world_soap_http/types">
<!-- Element must appear exactly once -->
<x1:responseType>
Hello Asynch Client using WS-Addressing
</x1:responseType>
</x1:greetMeResponse>
</soap:Body>
</soap:Envelope>
I've exported this project and added it to the Vordel Incubator. You can download the config here. Let me know what you think.















Friday, February 18, 2011

Architectural Pattern for XML Gateway - Service Bus Sandwich


I was in a discussion yesterday with a customer and the question of "Do I need an internal gateway in addition to my ESB?" came up. In general, people thing about XML gateways as the security appliance that you stick in the DMZ to prevent unauthorized access to services (i.e. the Super PEP). So, why do I need another one in my internal network?

Service Bus Sandwich

I think the most basic reason is that the system that does security processing at the front of the bus should be the same system that does security processing at the back of the bus. This promotes a consistent approach - same policies, same certificates, same administrative interfaces. This also optimizes the capabilities of each component in the architecture - XML Gateway off loads the security processing from the ESB - SSL Termination, XML threat checking, authentication, authorization, message encryption/signing etc. - and the ESB does what it does best - routing, transformation, service virtualization, protocol translation etc.

So, with all of the security processing off loaded to the XML Gateway, how should the ESB and the XML Gateway work together to pass security context. I think the simplest way is to simply use 2-way SSL between the front XML Gateway and the 2-way SSL between the back XML Gateway. This ensures that the ESB is receiving valid messages from the XML Gateway and that it can continue processing the message. Likewise for the back XML Gateway - since it trusts that the request is from the ESB, it can send the message off to its next destination. This makes the sole security interface between the XML Gateways and the ESBs a common trusted Certificate Authority.

If more information needs to be passed form the XML Gateway to the ESB - like the identity of the calling service/user, then you can simply use SAML bearer profile. This profile basically means "trust this assertion if you want.". Since we know the request is over 2-way SSL, bearer seems fine. You could optionally have the XML Gateway or STS sign the assertion, but its probably not necessary. If you're inclined to add the additional control of the signed assertion, you're only adding a public key/CA to the ESB - still a pretty minimal binding.

Looking at the back XML gateway, this is basically the Cloud Service Broker - mediating out access to services in the cloud - but what if you're not using any cloud services yet. Do I still need have the 2nd XML Gateway? Besides the benefits of centralization and consistency, lets look at another real world use case. Information arriving at the front gateway was secured in transmission using 2-way SSL, but contains PII that needs to be masked from the ESB while being processed - it can't be exposed in the clear, in logs, etc. - but the target service requires that information for processing. In this case the front XML Gateway can encrypt/mask the contents of the message and the back gateway can decrypt/unmask the message prior to being sent to the back end service.

In summary, in architectures that contain an ESB, having both a front XML Gateway to secure incoming traffic and a back XML Gateway to secure the outbound traffic provides real benefit. This may or may not represent two physically separate deployments - it just depends if the out bound traffic is allowed to be sent back out through the DMZ. The trust among the components can be done via transport - typically 2-way SSL. This greatly simplifies the administration of security policies, and optimizes the utilization of both the ESB and the XML Gateway.

Tuesday, February 15, 2011

It Takes A Village....Announcing the Vordel Incubator


After much debate, I'm pleased to announce the Vordel Incubator. I'm modelling after the wildly successful Oracle Coherence Incubator. The idea is to work as a community - company, customers, partners - on building solutions to real-world problems.

I've started the project off very modestly with a publishing of the full Maven project that I discussed earlier. As people know, I'm very interested in Maven and believe it is a really good tool for integrating a product into an enterprise SDLC. We'll be using it for the incubator. As such, there is some work to do in short order to extend the existing Maven support through out the fuller lifecycle - automated testing, deployment etc. I eager to work on these topics.

Additionally, as my team works with customers, there a common requests for solutions or examples that everyone would benefit from. Its my intention to grow a library of such solutions in the incubator as well.

Ultimately what I want is to try to harness the enthusiasm of the customers/partners that I've met over my first 6 weeks at Vordel - and channel into building things together that benefit everyone. But to do that, I need people's help and participation. If you are interested in participating in any way, please let me or anyone at Vordel know, and we'll get you looped into what we're doing. I've created a public google group to host discussions, so you can express your views/interests there.

I look forward to working with all of you on this.

Monday, February 14, 2011

How to extend the Vordel XML Gateway with Maven

One of the strengths of the Vordel XML Gateway is the ability of the product to be extended using Java. You can do this in two ways: JavaScript and through writing custom Filters. The really clever part about how the XML Gateway is engineered is that the underlying XML layers are written in native code so the product is really fast even when you have to use Java to customize it.

Recently, I had a customer ask "How do I build filters using Maven?". This is obviously a person after my own heart. I had spent a lot of time last year working with Maven, in particular for the OES/Spring/JBOSS/AOP integration I did. So, these are the steps for building the Example Filter using Maven.

Step 1 - Load the Dependencies into the Local File System


This for me is always the trickiest part. For things that are "non-Maven" you need to get them loaded as dependencies - but how? In order to get the XML Gateway APIs loaded into the local repository, you need to use the install:install-file goal to load some of the jars. As I continue to invest in this solution, look for other more elegant approaches, but for now this is what I'm going with.

This is the commands I ran, in my linux environment:


mvn install:install-file -Dfile=/opt/vordel/vordelgateway/system/lib/circuit.jar -DgroupId=com.vordel.vordelgateway -DartifactId=circuit -Dversion=6.0.3 -Dpackaging=jar

mvn install:install-file -Dfile=/opt/vordel/vordelgateway/system/lib/server.jar -DgroupId=com.vordel.vordelgateway -DartifactId=server -Dversion=6.0.3 -Dpackaging=jar

mvn install:install-file -Dfile=/opt/vordel/vordelgateway/system/lib/entityStore.jar -DgroupId=com.vordel.vordelgateway -DartifactId=entityStore -Dversion=6.0.3 -Dpackaging=jar

mvn install:install-file -Dfile=/opt/vordel/vordelgateway/system/lib/manager.jar
-DgroupId=com.vordel.vordelgateway -DartifactId=manager -Dversion=6.0.3 -Dpackaging=jar

mvn install:install-file -Dfile=/opt/vordel/vordelgateway/system/lib/common.jar
-DgroupId=com.vordel.vordelgateway -DartifactId=common -Dversion=6.0.3 -Dpackaging=jar

mvn install:install-file -Dfile=/opt/vordel/vordelgateway/system/lib/client.jar
-DgroupId=com.vordel.vordelgateway -DartifactId=client -Dversion=6.0.3 -Dpackaging=jar

mvn install:install-file -Dfile=/opt/vordel/policystudio/plugins/org.eclipse.gef_3.2.101.v20070814.jar -DartifactId=gef -DgroupId=org.eclipse -Dversion=3.2.101 -Dpackaging=jar

mvn install:install-file -Dfile=/opt/vordel/policystudio/plugins/org.eclipse.jface_3.3.1.M20070910-0800b.jar -DgroupId=org.eclipse -DartifactId=jface -Dversion=3.3.1 -Dpackaging=jar

mvn install:install-file -Dfile=/opt/vordel/policystudio/plugins/org.eclipse.swt.gtk.linux.x86_3.3.2.v3347.jar -DgroupId=org.eclipse -DartifactId=swt -Dversion=3.3.2 -Dpackaging=jar


Step 2 - Create a Parent POM


The parent POM references all of the dependencies, as well as simplifies the rest of the building process:


<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.vordel.vordelgateway</groupId>
<artifactId>parent</artifactId>
<version>6.0.3</version>
<packaging>pom</packaging>
<build>
<plugins>
<plugin>
<version>2.3.1</version>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<configuration>
<archive>
<manifestFile>src/main/resources/META-INF/MANIFEST.MF</manifestFile>
</archive>
</configuration>
</plugin>
</plugins>
</build>
<dependencies>
<dependency>
<groupId>com.vordel.vordelgateway</groupId>
<artifactId>circuit</artifactId>
<version>6.0.3</version>
</dependency>
<dependency>
<groupId>com.vordel.vordelgateway</groupId>
<artifactId>server</artifactId>
<version>6.0.3</version>
</dependency>
<dependency>
<groupId>com.vordel.vordelgateway</groupId>
<artifactId>entityStore</artifactId>
<version>6.0.3</version>
</dependency>
<dependency>
<groupId>com.vordel.vordelgateway</groupId>
<artifactId>manager</artifactId>
<version>6.0.3</version>
</dependency>
<dependency>
<groupId>com.vordel.vordelgateway</groupId>
<artifactId>client</artifactId>
<version>6.0.3</version>
</dependency>
<dependency>
<groupId>com.vordel.vordelgateway</groupId>
<artifactId>common</artifactId>
<version>6.0.3</version>
</dependency>
<dependency>
<groupId>org.eclipse</groupId>
<artifactId>jface</artifactId>
<version>3.3.1</version>
</dependency>
<dependency>
<groupId>org.eclipse</groupId>
<artifactId>gef</artifactId>
<version>3.2.101</version>
</dependency>
<dependency>
<groupId>org.eclipse</groupId>
<artifactId>swt</artifactId>
<version>3.3.2</version>
</dependency>
</dependencies>
</project>


With the POM created, run mvn install to load the POM into your local repository

Step 3 - Create the Example Filter Project


I used eclipse and the Eclipse Maven Plugin. I created a new Maven project that referenced the Parent POM


<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<parent>
<artifactId>parent</artifactId>
<groupId>com.vordel.vordelgateway</groupId>
<version>6.0.3</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<groupId>com.vordel.vordelgateway</groupId>
<artifactId>example-filter</artifactId>
<version>0.0.1-SNAPSHOT</version>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>2.0.2</version>
<configuration>
<source>1.6</source>
<target>1.6</target>
</configuration>
</plugin>
</plugins>
</build>
</project>


I then moved some files from the original example to conform with the Maven structure. I moved the simple.gif and resource files to their proper Maven place under resources. I also moved the MANIFEST.MF file to src/main/resources/META-INF so it is included in the jar.



You should be able to build the project. All that's left to do is copy the jar to the /opt/vordel/vordelgateway/ext/lib and the /opt/policystudio/plugins directories, and your plugin should be good to go.

Friday, February 11, 2011

How to retrieve an OAuth token from a WS-Trust based Security Token Service (STS)

I'm finally back home after 4 straights days in airports. During the week I delivered a really interesting use case that I wanted to share. This was in support of a demo where the customer wanted to understand how OAuth works with the XML Gateway. Given the natures of POCs, I had already built much of the demo around the customer's other requirement - retrieving a SAML assertion via a WS-Trust based STS. I had to come up with a way to add the OAuth functionality to the existing scenario. I think the approach that I came up with is novel and so I wanted to share it on the blog.

If you look at a WS-Trust RST (Request for Security Token) message, the initiator can request a token type, so the call to the STS can reasonably start with a request for an OAuth token, but the real question is "What to return and how to return it?". One thing that I liked about this particular scenario was that it gave me a change to dig a little more deeply into OAuth 1.0. I think I understand it much better. There have been many places where OAuth has been explained, so I won't cover everything, but basically for the Gateway scenario calling a service protected with OAuth, you need an access token and a corresponding access token secret. For the purposes of this scenario, I assumed that the access token and access token secret were already available to the STS - let's just say this happens when the user elects to allow the gateway application access to its information.

So, then how should we return this information. Both the access token and access token secret are just strings. The solution I used was to return them as Attribute Statements inside of a SAML assertion. One of the great things about SAML is its ability to include attributes related to the subject. The eliminated the need to come up with a custom token or simply pass them pack in the transport. The transport is OK, but I like the elegance of using SAML and quite frankly how easy it was to implement using the gateway.

On the caller side, I needed to modify the request to the STS to have the right token type
and then retrieve the assertion from the response.


The XML Gateway has a single filter that retrieves attribute assertions...couldn't have been easier.
On the STS side, this was also really simple. I just added a branch in the STS policy to handle the case where an OAUTH token has requested and the call the policy to add the SAML Attribute Assertion.
A quick re-deploy of the policy and I was in business. For the purposes of this demo, I used the LinkedIn API which is protected by OAuth, and made a simple call to get my network updates for the day.

I did all of this in about 1 hour very late at night - another strong testimony for the tool. The fact that I could get and set the SAML assertions so easily, really made the whole thing "just work".

I know that OAuth 2.0 has a binding for passing a SAML assertion to retrieve an access token, but the convergence between SAML and OAuth is definitely underspecified.
The scenario I'm showing here is the binding of an OAuth access token to a SAML assertion. From a specification perspective, I think all you would need to formalize are the constants for requesting the token from the STS (token type) and the attribute names (OAuth access token) themselves. I'll get Mark on it after he gets back from RSA :)

Tuesday, February 1, 2011

How to Secure the Cloud?


I'm in the process of getting the Boston chapter of the Cloud Security Alliance started. I'm just waiting for the "paperwork" to go through, but I'm really excited about what I'm hearing from customers about the cloud. Coming from Oracle, you get a bit of the "Larry Hates the Cloud" mindset, but in my limited time here at Vordel, I can see the deep interest from customers.

Mark O'Neill has published a few articles recently on a few topics within cloud security (SSO to Google Mail and Security Checklist for Cloud Security) but there is single "Cloud Security" solution. Probably the only term less well defined than "Cloud" is "Security". CSA is starting a whole new focus are on "Security as a Service" - again we could have/and will continue to have a debate over what is a "Service".

Unlike SOA, IT people are being asked by the business "What are we doing about the cloud?". This is because the "cloud" model continues to drive real cost savings. So, given the state of security in the cloud....what should you do?


From my perspective, the technical alignment between the traditional XML Gateway use cases and the Cloud Service Broker use cases suggests that though the space and the standards are evolving, an investment in an XML Gateway will provide significant value moving up into the cloud. What do you think?


Friday, January 28, 2011

Architectural Patterns for XML Gateways

What a week! I didn't get stuck anywhere - except for snowed in at home - but it was really busy. I did have the pleasure of ending the week briefing a group of really smart architects and pre-sales people on the Vordel Gateway.




















When talking about the gateway, it is easy to get into the weeds of does it support this crypto accelerator or this version of the WS-SecureConversation spec, or this version of some 3rd party I&AM product. For this particular audience I was trying to get to the essence of how customers deploy this technology. Here's my architectural taxonomy for XML Gateways.

  • Super PEP - The super/uber policy enforcement point. This is the way that XML Gateways are traditionally deployed. The idea here is that it can enforce any type of policy you can image - WS-Security, Authorization (XACML), SLA Policy, Routing Policy, XML Threat Policy... This is of course a very solid model for the gateway, and the way that most people think of it.
  • Security Services Platform - There has been a lot of talk about reusable security services for a long time. It was how we originally sold WLES/ALES/OES. The Oracle Platform Security Services - OPSS - has picked up some of that same flavor - and the concept is a good one. Let's have a set of security services that can be called from a central location. There are standard interfaces like SAML, XACML, WS-Trust, SPML etc, but how do you actually go build that into an enterprise? XML Gateway to the rescue. I think of this model as turning the gateway on its "side". Basically, the gateway has the ability to expose these WSDLs, and it has integration with all of these 3rd party I+AM vendors like Oracle/Sun, CA, Tivoli, RSA - as well as various LDAPs - that constructing these services is very straight forward. The gateway today has the ability to be an WS-Trust end-point, CRL endpoint as well as exposing an XML Encryption/Decryption and XML Signing/Validation service. Its a simple exercise to extend this model to any API - standard or otherwise. Furthermore, since the Vordel XML Gateway has very fast XML and crypto processing, the services will perform and scale.
  • Cloud Service Broker - This is like you take the XML Gateway and flip it around. Mark O'Neill talked about this convergence between XML Gateways and Cloud Services on his blog. I like the architectural symmetry. By flipping it over, you mediate access to services in the cloud. The Vordel XML Gateway is really good at protecting things like API keys - to avoid the issue of having everyone in the enterprise have unfettered access to the company's storage cloud. The distributed caching capabilities of the Gateway can help in cloud scenarios in two way. First of all, caching boosts performance - no need to go to the cloud to get that file, if the gateway has a recent cached copy. The second is that it can save firms money by optimizing calls to cloud services. In the storage example, this eliminates unnecessary GETs. In a transactional example, some provides give better rates for bulk operations, so the requests can be queued in the cache, and then sent en masse, again saving money.
These three architectures provide a simple way of summarizing the capabilities of the Vordel XML Gateway. Like any pattern, they can be used in conjunction with each other. For example, you could put the Super PEP in-front of the Security Services Platform or have the Security Services Platform call the Cloud Service Broker (off site authentication via cloud). As I continue to work with customers, and learn more about how they are using the gateway, I'll be sharing more of these patterns.

Wednesday, January 26, 2011

How to Securely Integrate Web Services in an Enterprise Environment

I spent the bulk of today updating the technical sales presentations for some upcoming training that we're giving in Boston. While brainstorming about the key messages to deliver to customers, I came across this cartoon.



It's admittedly a little silly, but I really like the core concept of the story. The idea is that the quality of the XML Gateway solution is not strictly about speeds and feeds, but the ability of the product to work across teams to deliver real value. This is not some slight of hand - look over here at this other stuff - the performance of the Vordel Gateway is "unbelievably good" - but simply an observation about the challenges that customers face in deploying a solution like this. I drew inspiration from this presentation, so if and when you see the technical presentation, you may recognize some of the themes. As for the presentation in its raw form, I think its more "appropriate" as a web video. Enjoy!

Friday, January 21, 2011

How to Integrate Web SSO with REST web-services using Oracle Access Manager

Nothing inspires me to blog like being stuck in an airport. I'm stuck in DC on a return from my first Vordel customer trip. We saw customers in San Diego, Los Angeles, Bay Area, and Seattle. Some of them there were very interested in the integration between Oracle Access Manager and Vordel. Once again, Mark O'Neill, CTO of Vordel to the rescue.




  • Authentication - By simply selecting Oracle Access Manager as a repository, usernames and passwords are authenticated against OAM - encapsulating the directory specifics and optimizing connections
  • Identity Propagation - Once authenticated, the OBSSO cookie is available to down stream applications
  • Single Sign On - By adding another filter - Validate Oracle Access Manager Token - the token is validated by the ASDK and the identity available to the service.
The thing that impresses me about this demo is how easy it is to do. I'm still a relatively new to the Vordel product, but the UI metaphor on building the policies using filters and wiring them together is really simple and easy to grasp. Also, the way that you can pull the output of one filter into the input of another is really useful. The UI will also mark filters as RED is you're missing an upstream input.

Having seen experts like Mark and some of the long time Solutions Architects work with the product, you can get very productive with the tool and build super complicated security scenarios with amazing ease. The biggest challenge is that the 6.0 product ships with over 140 filters. This is not a bad thing...it means that the product provides tremendous value out of the box....its not just a framework. But as some one trying to come up to speed, you realize that there is a 99% chance that there is a filter (or set of filters) that will allow you to do the job.

The other really amazing thing about the filters, is that when you're trying to debug a policy, you can use the real-time monitoring, and see the success/failures of each of the individual filters. This is super useful in diagnosing problems in any environment.

Well, they're calling my flight. Wish me luck getting home. Time stuck on the tarmac is just more time to get up to speed on the product :)



Thursday, January 13, 2011

How to Enforce Fine Grained Authorization to REST Services with Vordel and Oracle Entitlements Server

Hello from Dublin,

I'm nearly at the end of a very long week for Vordel Company kick-off, but I wanted to take the time get the new blog headed in the right direction. I know that my blogging activity tailed off over the last few months, but one of my 2011 New Year's resolutions is to blog once a week - and lose 15 lbs.



Not surprisingly, my first post of the new year is on Vordel's integration with Oracle Entitlements Server. Mark O'Neill, the Vordel CTO, has posted a video demo of the integration. It follows the same basic use case as the Oracle Entitlements Server-Oracle Web Services Manager integration that I did last year, except through the magic of the gateway, its protecting a REST service.
A little background on this integration. This was an integration that the A-Team helped Vordel with a while back. What's really nice about it is that it uses the Java SM. This means that all of the calls are made inside of the Gateway. So if we take the real world scenario described in the demo of the trader making a call to get a price, then performance is super critical. A more naive approach would be to call out using XACML. The problem here is that the additional over head of creating an XML request, sending in, parsing in inside of the WS-SM, packing up the response, sending it back, and parsing again is > 100 ms. Did you even know a trader that could wait 100 ms? Also there is the additional operational complexity of having to stand up two instance of the WS-SM so that there is no single point of failure.

Ultimately, I think the best solution would be OpenAz...then you get a standard and likely an in-process implementation. Now, if you have a XACML endpoint and want to call out - Vordel does this OOTB. If you want this approach, my recommendation would be to run the XACML PDP from Oracle or other XACML vendors co-located on the Gateway (you can run the gateway as a software appliance), and then leverage the XML processing power of Vordel.

The point here is that the quality of the integration and the quality of the platform does matter. A good tight integration, like the one between Oracle Entitlements Server and Vordel has real benefits (lower latency, operational efficiency) to customers.