Introduction to IBM WebSphere MQ - IBM Community
-
Upload
khangminh22 -
Category
Documents
-
view
0 -
download
0
Transcript of Introduction to IBM WebSphere MQ - IBM Community
11 © 2014 IBM Corporation
Enterprise grade APIs “with built-in security”
Andy Thurai, IBM (@AndyThurai)
Rob Conti, IBM (@rob_conti282)
1
22 © 2014 IBM Corporation
House Keeping
•Session is recorded. Replay link will be made available later.
•Please type your questions in the Q&A section.
•We will try to answer them at the end of the session.
•You can also tweet your comments and questions with hashtag.
Hashtag for this webinar: #IBMsecureAPI
• IBM API Management - @ibmapimgt
33 © 2014 IBM Corporation
Building Secure APIs
Andy Thurai
Program Dir – API, IoT, Connected Cloud
IBM
@AndyThurai
www.thurai.net/blog
developer.ibm.com/api
Blog
55 © 2014 IBM Corporation
Web Access
Management
Web
ServersLoad Balancer
ADC
InternetSecurity & Integration
GatewayWeb Application
Firewall
B2B Gateway
Enterprise
Applications
and
Databases
Enterprise
Application
Servers
77 © 2014 IBM Corporation
Smart Scales:Track health in
outpatients
Connected car:Tracks location, status
of car parts
Mobile:Mobile payments
Heating and Air
Conditioning:Maximum efficiency using
weather predictions and
remote control
Building Security:Facial recognition,
remote notification
Smart Deliveries:Track parcel
Monitor and open
garage door remotely on
arrival
Smart Meter:Track and
control usage
Vending Machine:Stock reporting,
temperature, shelf life
HealthCare:Monitor patients
at home
Container Tracking:End to end tracking,
prevent tampering
Connected “Digital” Enterprise
88 © 2014 IBM Corporation
Is API/IoT/Mobility an Asset or a Liability?
Is your API an asset or a liability?
VentureBeat, Oct 2014
99 © 2014 IBM Corporation
SnapChat
What are your “undocumented” APIs up to?Linkedin Pulse, Oct 2014
“That’s why we haven’t provided a public API to developers and why we
prohibit access to the private API we use to provide our service..”
“We’re going to take our time to get it right. Until then, that means any
application that isn’t ours but claims to offer Snapchat services violates
our Terms of Use and can’t be trusted.”
1313 © 2014 IBM Corporation
API Security Nirvana!!!
1. Identify & Classify the sensitivity of data/API exposed
2. Protect the data
3. Implement access controls
4. Implement rate limiting
5. Protect your API
6. Get insights
1616 © 2014 IBM Corporation
Step #1 - Classification
Identify the sensitivity of data/API
• PCI, PII, PHI or other compliance related
• EU, Canada, or other Geo related
• Business sensitivity related
• Location specific or other access restrictions
• Different levels – Cloud, Enterprise, Hybrid
2121 © 2014 IBM Corporation
Step # 3 – Controlled Access
• Understand your userbase – Internal, External, Partners
• Implement different set of controls for each of them
• Identify the User – Social or Enterprise
• Authentication
• Authorization
• Identity based
• Resource based
• Time based
• Location based
• Device based
• Implementation details
• Oauth, OpenID, SAML
• API Key + Client Secret
• WS-Security, JWT, Legacy ID tokens.
2323 © 2014 IBM Corporation
Step # 4 – Rate Limiting
• Classify usage based on userbase
• Enforce SLM based on SLAs
• Don’t be afraid to enforce Quota
• Account for the usage through the API
• Enforce QOS
• Re-route – Error handling, congestion
• Version controls – Better/ Enriched user experience
2525 © 2014 IBM Corporation
Step #5 – Protect the API
• Threat Protection – Unintentional & Intentional attacks
• Injection attacks – SQL, Xpath
• Cross-Site Scripting
• Validate the parameters – http, REST query, JSON Struct
• DOS and DDOS attacks
• Use a secure transport and avoid snooping
• Schema Validation – JSON, SOAP, and other messages
• Content level attacks
2727 © 2014 IBM Corporation
Step # 6 – Get Insights
• Get usage metrics
• See who is using what, when and how much
2828 © 2014 IBM Corporation
IBM Enterprise API platform
Explore API documentation
Provision application keys
Self-service experience
Developer Portal API Manager Management Console
Define, Secure and manage APIs
Explore API usage with analytics
Manage API user communities
Provision system resources
Monitor runtime health
Scale the environment
API Gateway (IBM DataPower)
Enforce runtime policies to control API traffic
2929 © 2014 IBM Corporation
API Gateway
Rob Conti
Program Dir – Datapower Appliances
IBM
@rob_conti282
3030 © 2014 IBM Corporation
DataPower Gateway Platform
Address growing demands placed on enterprise boundaries by securely delivering Applications, APIs and Data through Multi-Channel Gateways
Systems of Engagement
Focus on demands of Systems of Engagement for scale, responsiveness and security for accessing System of Records
Built for Hybrid Cloud
Purpose-Built HW and Firmware-based SW offered in Physical and Virtualized Appliances for deployment to On Premise and Cloud Environments
DeveloperFriendly
Optimized server-side JavaScript runtime for rapid Time-To-Market . Developer Edition for disconnected network Development.
Modular Framework
Modular gateway framework that unifies capabilities, simplifies architecture and converges Gateway use cases (e.g. Security, Cloud, Web, Mobile, Services and APIs, Internet of Things, B2B)
Mobile security
Mobile specific capabilities for SSO, OAuth, and Threat protection with advanced authentication capabilities provided by IBM Security Access Manager integrated module for reducing Security Threats
APIs in DNA API Gateway for securing, integrating, controlling and optimizing API Delivery
3131 © 2014 IBM Corporation
: Capability Pillars
Before DataPower Gateway After DataPower Gateway
Control
Integrate
Optimize
SecureConsumer
Consumer
Consumer
Consumer
Simplify, offload & centralize critical functions
Integrate
Any-to-any message
transformation
Transport protocol
bridging
Message enrichment
Database connectivity
Mainframe connectivity
B2B trading partner
connectivity
Control OptimizeSecure
SSL / TLS offload
Hardware accelerated
crypto operations
JSON, XML offload
JavaScript, JSONiq, XSLT,
XQuery acceleration
Response caching
Intelligent load
distribution
Service level management
Quota enforcement, rate
limiting
Message accounting
Content-based routing
Failure re-routing
Integration with
governance &
management platforms
Authentication,
authorization, auditing
Security token translation
Threat protection
Schema validation
Message filtering &
semantics validation
Message digital signature
Message encryption
3232 © 2014 IBM Corporation
Applications
and Systems
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DEVELOPERS
Business
Channels
Users
Multi-Channel
Gateway
z System
Middleware
ESBApplication
CLOUD
ALLCONSUMERS
EMPLOYEES
Service
IBM
DataPower
Gateway
Reduce cost , improve security & control with a
converged Multi-Channel gateway
3333 © 2014 IBM Corporation
DataPower Platform is Purpose-Built for API Security
Trusted Platform
Module (TPM)
Hardware Accelerated
Crypto
No DVD/CD Drives &
Working USB Ports
Intrusion Detection
Switch
HSM Module
Signed & Encrypted
Firmware
Secured & Optimized
Compiler
3434 © 2014 IBM Corporation
Simple Architecture: Firmware + purpose built hardware
Guiding philosophy is to centralize common security, integration,
control, and traffic management functions and optimize them in a
security-hardened appliance
Simple and Secure Platform Architecture
Display
Ports
database
confi
gApp
Server
confi
gApache
HTTPD
confi
g
JVM
confi
gProprietary
Software
confi
g
Linux Daemons
confi
gJSP
Engineglibclibxml
Full Linux OS
(including shells and user accounts)
config
Bootable
CDROM
Drive
Bootable
USB
Ports
Hardware
Commodity Gateways
config
Hardware
DataPower GatewayDigitally Signed and Encrypted
Firmware
FlashMemory
Crypto Acceleration
IBM Optimized Embedded Operating Environment
Purpose-built Gateways
3535 © 2014 IBM Corporation
API Level Security
Identity & Access
Management
Threat
Protection
Data Security
3636 © 2014 IBM Corporation
• JSON is now a first class, native format on DataPower similar to XML
– High-speed parsing and tuned compilation with native execution• JSON schema validation: Security & input validation
– Built-in validate action
– Support for draft 3 of IETF specification
{ "name" : "John Smith",
"sku" : "20223",
"price" : "23.95",
"shipTo" : { "name" : "Jane Smith",
"address" : "123 Maple Street",
"city" : "Pretendville",
"state" : "NY",
"zip" : "12345" },
"billTo" : { "name" : "John Smith",
"address" : "123 Maple Street",
"city" : "Pretendville",
"state" : "NY",
"zip" : "12345" }
}
{
"type": "object",
"properties": {
"name": { "type": "string" },
"sku": { "type": "string" },
"price": { "type": "number", "minimum": 0 },
"shipTo": {
"type": "object",
"properties": {
"name": { "type": "string" },
"address": { "type": "string" },
"city": { "type": "string" },
"state": { "type": "string" },
"zip": { "type": "string" }
}
},
"billTo": {
"type": "object",
"properties": {
"name": { "type": "string" },
"address": { "type": "string" },
"city": { "type": "string" },
"state": { "type": "string" },
"zip": { "type": "string" }
}
}
}
}
JSON SchemaJSON Message
Native JSON Support Enhanced security & control for REST services
Threat
Protection
Data Security
3737 © 2014 IBM Corporation
Enhanced REST Service Workload Processing
Native JSON support for enhanced security & control of REST services
Query, extract, filter, transform of JSON messages using JSONiq
– Extension to XQuery: Like SQL for JSON and XML
37
{ "name" : "John Smith",
"sku" : "20223",
"price" : "23.95",
"shipTo" : { "name" : "Jane Smith",
"address" : "123 Maple Street",
"city" : "Pretendville",
"state" : "NY",
"zip" : "12345" },
"billTo" : { "name" : "John Smith",
"address" : "123 Maple Street",
"city" : "Pretendville",
"state" : "NY",
"zip" : "12345" }
}
declare namespace output = "http://www.w3.org/2010/xslt-xquery-serialization";
declare option jsoniq-version "0.4.42";
declare option output:method "json";
.("shipTo")
declare namespace output =
"http://www.w3.org/2010/xslt-xquery-serialization";
declare option jsoniq-version "0.4.42";
declare option output:method "json";
if (.("shipTo")("state") = "HI")
then fn:error(fn:QName('http://example.org/mine',
'myerr:noshipHI'),
'Sorry, we do not ship to Hawaii.')
{ "name" : "Jane Smith",
"address" : "123 Maple Street",
"city" : "Pretendville",
"state" : "NY",
"zip" : "12345"
}
*** ABORTED: Error noshipHI: Sorry, we do not ship to Hawaii.
Extract
Filter
declare option jsoniq-version "0.4.42";
<order>
<name>{.("name")}</name>
<price>{.("price")}</price>
<state>{.("shipTo")("state")}</state>
</order>
Transform
<?xml version="1.0" encoding="UTF-8"?>
<order><name>John Smith</name><price>23.95</price><state>NY</state></order>
[{ "given" : "John", "surname" : "Smith", "sku" : "20223", "price" : 23.95},
{ "given" : "Alice", "surname" : "Brown", "sku" : "54321", "price" : 199.95},
{ "given" : "John", "surname" : "Smith", "sku" : "23420", "price" : 104.95},
{ "given" : "Bob", "surname" : "Green", "sku" : "90231", "price" : 300.00},
{ "given" : "Scott", "surname" : "Jones", "sku" : "54321", "price" : 199.95},
{ "given" : "Jim", "surname" : "Lee", "sku" : "89820", "price" : 46.50}]
declare option jsoniq-version "0.4.42";
for $x in jn:members(.)
where $x("price") >= 100.00
order by $x("surname")
return concat($x("given"), ' ', $x("surname"), '
')
Alice Brown
Bob Green
Scott Jones
John Smith
Query
Data Security
3838 © 2014 IBM Corporation
End-to-End API Security
Configuration-Driven Message Level Security
Encrypt
Decrypt
Sign
Verify
Full or Partial Payload Support
Data Security
3939 © 2014 IBM Corporation
Mitigating Threats
XML Threat Protection
• Entity Expansion/Recursion Attacks
• Public Key DoS• XML Flood• Resource Hijack • Dictionary Attack• Replay Attack
Message/Data Tampering
Message Snooping
XPath or SQL Injection
XML Encapsulation
XML Virus
…many others
Threat
Protection
Protocol Level
• Headers - Depth, Width
& Length
• HTTP Verbs & Versions
• Max Connections
• Query Strings
• Websocket Upgrade
• Rate Limiting
4040 © 2014 IBM Corporation
JSON Threat Protection
JSON Examples
• Jumbo Payload• Name-Value Pair
• Label - Value Pairs– Label String Length (characters)
– Value String Length (characters)
– Number Length (characters)
• Threat Protection– Maximum nesting depth (levels)
– Maximum document size (bytes)
Label String
Nesting Depth of 3
Value String
Number
DocumentSize
Threat
Protection
4141 © 2014 IBM Corporation
Flexible Access Management
ExtractIdentity
HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509/SSLSAML AssertionIP AddressLTPA TokenHTML FormOAuthCustom
Authenticate
ExtractResource
URLXPathSOAP OperationHTTP OperationCustom
LDAP/Active DirectorySystem/z NSS (RACF, SAF)IBM Security Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom
AuthorizeAudit &
Post-Process
MapIdentity
MapResource
LDAP/ActiveDirectorySystem/z NSSIBM Security Access ManagerNetegrity SiteMinderSAMLXACMLOAuthCustom
Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SpnegoGenerate SAMLGenerate LTPAMap Tivoli Federated Identity
External Access Control Server or Onboard Identity Management Store
input output
Identity & Access
Management
4242 © 2014 IBM Corporation
• DataPower appliance with ISAM module for security enforcement, traffic control &
management, application acceleration, transport bridging & message transformation
• ISAM for Mobile appliance for context based access (CBA), mobile SSO, strong
authentication including one-time password (OTP) & multi-factor authentication (MFA)
Mobile Gateway solution
ISAM for
Mobile
Rapidly deliver secure integration & optimized access for enterprise mobile applications
DataPower
ISAM
Module
Identity & Access
Management
4343 © 2014 IBM Corporation
Getting Social with IBM DataPower Gateways
DataPower on Slideshare LinkedInIBM DataPower Gateway Group
developerWorks BlogYouTubeIBM DataPower Gateway Channel
Twitter@IBMGateways
Online User Forum
• YouTube Channel: IBM DataPower Gateways
• Slideshare: IBM DataPower Gateway
• Twitter: @IBMGateways
• LinkedIn Group: IBM DataPower Gateway
• developerWorks blog: IBM DataPower Gateway
• GitHub: IBM DataPower Gateway
• Online User Forum
• Product page on ibm.com
• Product documentation
4444 © 2014 IBM Corporation
Available Now: DataPower Handbook, Second Edition, Volume 1
• Complete rewrite, update of prior content, new content to
cover past six years of new products/features, including
9006/7.1!
• Volume 1 consists of Chap 1 DataPower Intro & Chap 2 Setup
Guide for physical and virtual appliances.
• Additional new Preface and two invaluable new appendices
• Available today on Amazon CreateSpace
• https://www.createspace.com/4745597
• Amazon.com worldwide & Amazon Kindle
• KindleMatch – buy hardcopy & get ebook for US$2.99
• Kinde Unlimited, Kindle lending
• Additional volumes will cover the rest of the first edition
content:
• Networking
• Development
• Administration
• Security
• Problem Determination
4646 © 2014 IBM Corporation
Innovation meets Enterprise
Measurable
Controllable
Managed
Monetized
Scalable
Private Cloud
Processes
Databases
Analytics
Mainframe
Services
SOA
API
Internet of Things
Mobile
Public Cloud
Social Web
Partners
API
4747 © 2014 IBM Corporation
Challenges to delivering an engaging Mobile experience
Internet of Things
Mobile
Public Cloud
Social Web
Partners
Private Cloud
Back-office Processes
Analytics
Services Databases
CRM
“THINK APIs”
How to cost-effectively support range of popular device platforms?
How to restless reinvent and
enhance Mobile experience faster?
How to secure the boundary without
disrupting the Mobile experience?
How to integrate Mobile activities into
existing back-end processes and data?
How to deliver the responsiveness that Mobile users expect
at Internet scale?
Backend Integration Scale & LatencyProtect PerimeterPace of InnovationRange of Devices
4949 © 2014 IBM Corporation
APIs give direct access to data
• Protect your APIs which has “my
personal” data in it
• It is your corporate, legal and moral
obligation
• Don’t tell me it is a “sophisticated
attack” when you didn’t follow
security best practices