Monday, August 20, 2007

Holiday = time to read SOA book

While on holiday; I took along of copy of “Understanding Enterprise SOA ” by Eric Pulier and Hugh Taylor. The book uses the merger of 2 insurance companies as a background setting to explain the use of Service Oriented Architecture. The story of the different architects in the insurance companies with the author as the external consultant reads very fluently. By the way, the use of SOA also means the use of Web Services technology. So the fundamental WS technologies are explained in an open manner with some “Savvy Manager Cautions”.

Although the book is well written, I cannot recommend it. One thing I fundamentally disagree is to put integration (EAI) technology aside as an “old” technology. 1st of all, the world is not web services alone: file transfer, async. processing, connectivity to databases and back-end applications, support for B2B protocols all require the use of integration tools such as Enterprise Services Buses or Message Brokers.

The author Eric Pullier is Chairman of SOA Software . The name SOA Software pops up here and there as a vendor of WS mediation solutions. E.g. SOA Software acquired Blue Titan . But I haven’t encountered SOA Software here in Europe. Having no technical documentation available online, it’s hard to tell what their products actually cover.

Thursday, August 16, 2007

SSL beats WS-Security?

The weekly newsletter contained a link to a very interesting presentation about securing web services, given by Brad Hill of isecpartners at Black Hat briefings.

The presentation states that SSL with client certificates is the better mechanism to secure web services. Two main arguments: 1) SSL with client certificates is proven technology and very robust and 2) WS-Security isn't very good because it is so extensive and complex, and therefore an easy target for attack

SSL with client certificates is indeed a strong mechanism for securing connections coming into your DMZ. And the use of self-signed certificates makes the setup cheaper and more straightforward. But the use of SSL with client certificates also has its challenges. Biggest issue is the SSL session termination by a network device in front of you application server. If the SSL connection can be terminated in a container under your control, all information can be retrieved from the client certificate. But in case of such network device, you can only hope (or arrange) that the device forwards information about the client certificate to your application (e.g. using a HTTP header field such as SSL_CLIENT_CERT).

For his 2nd point, WS-Security indeed has (too) many options. Actually, it is more the underlying XML Signing and XML Encryption standards that provide too many options. WS-I will have to do a good job in reducing the number of options and choosing some good defaults. And to make things really secure and robust, the WS-Security implementations should only implement and support what is required by the WS-I Security Profile.

EDIINT AS2 is a nice example how security can be made workable: numerous organizations implement message level signing and encryption when setting up AS2 connections (only complexity is the process certificate renewal when using message level encryption).

So, while not fully agreeing with all the content, the presentation is a great piece of information.