Introduction to IBM WebSphere MQ - IBM Community

11 © 2014 IBM Corporation

Enterprise grade APIs “with built-in security”

Andy Thurai, IBM (@AndyThurai)

Rob Conti, IBM (@rob_conti282)

1


House Keeping

•Session is recorded. Replay link will be made available later.

•Please type your questions in the Q&A section.

•We will try to answer them at the end of the session.

•You can also tweet your comments and questions with hashtag.

Hashtag for this webinar: #IBMsecureAPI

• IBM API Management - @ibmapimgt


Building Secure APIs

Andy Thurai

Program Dir – API, IoT, Connected Cloud

IBM

@AndyThurai

www.thurai.net/blog

developer.ibm.com/api

Blog


Don’t forget to socialize

#IBMsecureAPI


Web Access

Management

Web

ServersLoad Balancer

ADC

InternetSecurity & Integration

GatewayWeb Application

Firewall

B2B Gateway

Enterprise

Applications

and

Databases

Enterprise

Application

Servers


New Digital Enterprise


Smart Scales:Track health in

outpatients

Connected car:Tracks location, status

of car parts

Mobile:Mobile payments

Heating and Air

Conditioning:Maximum efficiency using

weather predictions and

remote control

Building Security:Facial recognition,

remote notification

Smart Deliveries:Track parcel

Monitor and open

garage door remotely on

arrival

Smart Meter:Track and

control usage

Vending Machine:Stock reporting,

temperature, shelf life

HealthCare:Monitor patients

at home

Container Tracking:End to end tracking,

prevent tampering

Connected “Digital” Enterprise


Is API/IoT/Mobility an Asset or a Liability?

Is your API an asset or a liability?

VentureBeat, Oct 2014


SnapChat

What are your “undocumented” APIs up to?Linkedin Pulse, Oct 2014

“That’s why we haven’t provided a public API to developers and why we

prohibit access to the private API we use to provide our service..”

“We’re going to take our time to get it right. Until then, that means any

application that isn’t ours but claims to offer Snapchat services violates

our Terms of Use and can’t be trusted.”


Be aware………and have a plan!!!


Your business will depend on it!!

When APIs are your business asset


Path to Nirvana!!!


API Security Nirvana!!!

1. Identify & Classify the sensitivity of data/API exposed

2. Protect the data

3. Implement access controls

4. Implement rate limiting

5. Protect your API

6. Get insights


Step #1 – Proper Classification

Muladhara


Step #1 - Classification

Greenland or Iceland???


Step #1 - Classification

Identify the sensitivity of data/API

• PCI, PII, PHI or other compliance related

• EU, Canada, or other Geo related

• Business sensitivity related

• Location specific or other access restrictions

• Different levels – Cloud, Enterprise, Hybrid


Step #2 – Protect the data

Swadhishthana


Data Life

Collection

StorageProcess

Transport


Protect Data


Step #3 – Controlled access

Manipura


Step # 3 – Controlled Access

• Understand your userbase – Internal, External, Partners

• Implement different set of controls for each of them

• Identify the User – Social or Enterprise

• Authentication

• Authorization

• Identity based

• Resource based

• Time based

• Location based

• Device based

• Implementation details

• Oauth, OpenID, SAML

• API Key + Client Secret

• WS-Security, JWT, Legacy ID tokens.


Step #4 – Rate limiting

Anahata


Step # 4 – Rate Limiting

• Classify usage based on userbase

• Enforce SLM based on SLAs

• Don’t be afraid to enforce Quota

• Account for the usage through the API

• Enforce QOS

• Re-route – Error handling, congestion

• Version controls – Better/ Enriched user experience


Step #5 – Protect the API

Wishuddha


Step #5 – Protect the API

• Threat Protection – Unintentional & Intentional attacks

• Injection attacks – SQL, Xpath

• Cross-Site Scripting

• Validate the parameters – http, REST query, JSON Struct

• DOS and DDOS attacks

• Use a secure transport and avoid snooping

• Schema Validation – JSON, SOAP, and other messages

• Content level attacks


Step #6 – Get Insights

Ajna


Step # 6 – Get Insights

• Get usage metrics

• See who is using what, when and how much


IBM Enterprise API platform

Explore API documentation

Provision application keys

Self-service experience

Developer Portal API Manager Management Console

Define, Secure and manage APIs

Explore API usage with analytics

Manage API user communities

Provision system resources

Monitor runtime health

Scale the environment

API Gateway (IBM DataPower)

Enforce runtime policies to control API traffic


API Gateway

Rob Conti

Program Dir – Datapower Appliances

IBM

@rob_conti282


DataPower Gateway Platform

Address growing demands placed on enterprise boundaries by securely delivering Applications, APIs and Data through Multi-Channel Gateways

Systems of Engagement

Focus on demands of Systems of Engagement for scale, responsiveness and security for accessing System of Records

Built for Hybrid Cloud

Purpose-Built HW and Firmware-based SW offered in Physical and Virtualized Appliances for deployment to On Premise and Cloud Environments

DeveloperFriendly

Optimized server-side JavaScript runtime for rapid Time-To-Market . Developer Edition for disconnected network Development.

Modular Framework

Modular gateway framework that unifies capabilities, simplifies architecture and converges Gateway use cases (e.g. Security, Cloud, Web, Mobile, Services and APIs, Internet of Things, B2B)

Mobile security

Mobile specific capabilities for SSO, OAuth, and Threat protection with advanced authentication capabilities provided by IBM Security Access Manager integrated module for reducing Security Threats

APIs in DNA API Gateway for securing, integrating, controlling and optimizing API Delivery


: Capability Pillars

Before DataPower Gateway After DataPower Gateway

Control

Integrate

Optimize

SecureConsumer

Consumer

Consumer

Consumer

Simplify, offload & centralize critical functions

Integrate

Any-to-any message

transformation

Transport protocol

bridging

Message enrichment

Database connectivity

Mainframe connectivity

B2B trading partner

connectivity

Control OptimizeSecure

SSL / TLS offload

Hardware accelerated

crypto operations

JSON, XML offload

JavaScript, JSONiq, XSLT,

XQuery acceleration

Response caching

Intelligent load

distribution

Service level management

Quota enforcement, rate

limiting

Message accounting

Content-based routing

Failure re-routing

Integration with

governance &

management platforms

Authentication,

authorization, auditing

Security token translation

Threat protection

Schema validation

Message filtering &

semantics validation

Message digital signature

Message encryption


Applications

and Systems

DEVELOPERSPARTNERS CONSUMERS

EMPLOYEES

WEBMOBILEB2B SOA APIS

PARTNERS

DEVELOPERS

Business

Channels

Users

Multi-Channel

Gateway

z System

Middleware

ESBApplication

CLOUD

ALLCONSUMERS

EMPLOYEES

Service

IBM

DataPower

Gateway

Reduce cost , improve security & control with a

converged Multi-Channel gateway


DataPower Platform is Purpose-Built for API Security

Trusted Platform

Module (TPM)

Hardware Accelerated

Crypto

No DVD/CD Drives &

Working USB Ports

Intrusion Detection

Switch

HSM Module

Signed & Encrypted

Firmware

Secured & Optimized

Compiler


Simple Architecture: Firmware + purpose built hardware

Guiding philosophy is to centralize common security, integration,

control, and traffic management functions and optimize them in a

security-hardened appliance

Simple and Secure Platform Architecture

Display

Ports

database

confi

gApp

Server

confi

gApache

HTTPD

confi

g

JVM

confi

gProprietary

Software

confi

g

Linux Daemons

confi

gJSP

Engineglibclibxml

Full Linux OS

(including shells and user accounts)

config

Bootable

CDROM

Drive

Bootable

USB

Ports

Hardware

Commodity Gateways

config

Hardware

DataPower GatewayDigitally Signed and Encrypted

Firmware

FlashMemory

Crypto Acceleration

IBM Optimized Embedded Operating Environment

Purpose-built Gateways


API Level Security

Identity & Access

Management

Threat

Protection

Data Security


• JSON is now a first class, native format on DataPower similar to XML

– High-speed parsing and tuned compilation with native execution• JSON schema validation: Security & input validation

– Built-in validate action

– Support for draft 3 of IETF specification

{ "name" : "John Smith",

"sku" : "20223",

"price" : "23.95",

"shipTo" : { "name" : "Jane Smith",

"address" : "123 Maple Street",

"city" : "Pretendville",

"state" : "NY",

"zip" : "12345" },

"billTo" : { "name" : "John Smith",



"state" : "NY",

"zip" : "12345" }

}

{

"type": "object",

"properties": {

"name": { "type": "string" },

"sku": { "type": "string" },

"price": { "type": "number", "minimum": 0 },

"shipTo": {

"type": "object",

"properties": {


"address": { "type": "string" },

"city": { "type": "string" },

"state": { "type": "string" },

"zip": { "type": "string" }

}

},

"billTo": {

"type": "object",

"properties": {


"address": { "type": "string" },

"city": { "type": "string" },

"state": { "type": "string" },

"zip": { "type": "string" }

}

}

}

}

JSON SchemaJSON Message

Native JSON Support Enhanced security & control for REST services

Threat

Protection

Data Security


Enhanced REST Service Workload Processing

Native JSON support for enhanced security & control of REST services

Query, extract, filter, transform of JSON messages using JSONiq

– Extension to XQuery: Like SQL for JSON and XML

37

{ "name" : "John Smith",

"sku" : "20223",

"price" : "23.95",

"shipTo" : { "name" : "Jane Smith",



"state" : "NY",

"zip" : "12345" },

"billTo" : { "name" : "John Smith",



"state" : "NY",

"zip" : "12345" }

}

declare namespace output = "http://www.w3.org/2010/xslt-xquery-serialization";

declare option jsoniq-version "0.4.42";

declare option output:method "json";

.("shipTo")

declare namespace output =

"http://www.w3.org/2010/xslt-xquery-serialization";


declare option output:method "json";

if (.("shipTo")("state") = "HI")

then fn:error(fn:QName('http://example.org/mine',

'myerr:noshipHI'),

'Sorry, we do not ship to Hawaii.')

{ "name" : "Jane Smith",



"state" : "NY",

"zip" : "12345"

}

*** ABORTED: Error noshipHI: Sorry, we do not ship to Hawaii.

Extract

Filter


<order>

<name>{.("name")}</name>

<price>{.("price")}</price>

<state>{.("shipTo")("state")}</state>

</order>

Transform

<?xml version="1.0" encoding="UTF-8"?>

<order><name>John Smith</name><price>23.95</price><state>NY</state></order>

[{ "given" : "John", "surname" : "Smith", "sku" : "20223", "price" : 23.95},

{ "given" : "Alice", "surname" : "Brown", "sku" : "54321", "price" : 199.95},

{ "given" : "John", "surname" : "Smith", "sku" : "23420", "price" : 104.95},

{ "given" : "Bob", "surname" : "Green", "sku" : "90231", "price" : 300.00},

{ "given" : "Scott", "surname" : "Jones", "sku" : "54321", "price" : 199.95},

{ "given" : "Jim", "surname" : "Lee", "sku" : "89820", "price" : 46.50}]


for $x in jn:members(.)

where $x("price") >= 100.00

order by $x("surname")

return concat($x("given"), ' ', $x("surname"), '
')

Alice Brown

Bob Green

Scott Jones

John Smith

Query

Data Security

http://www.w3.org/2010/xslt-xquery-serialization

http://example.org/mine


End-to-End API Security

Configuration-Driven Message Level Security

Encrypt

Decrypt

Sign

Verify

Full or Partial Payload Support

Data Security


Mitigating Threats

XML Threat Protection

• Entity Expansion/Recursion Attacks

• Public Key DoS• XML Flood• Resource Hijack • Dictionary Attack• Replay Attack

Message/Data Tampering

Message Snooping

XPath or SQL Injection

XML Encapsulation

XML Virus

…many others

Threat

Protection

Protocol Level

• Headers - Depth, Width

& Length

• HTTP Verbs & Versions

• Max Connections

• Query Strings

• Websocket Upgrade

• Rate Limiting


JSON Threat Protection

JSON Examples

• Jumbo Payload• Name-Value Pair

• Label - Value Pairs– Label String Length (characters)

– Value String Length (characters)

– Number Length (characters)

• Threat Protection– Maximum nesting depth (levels)

– Maximum document size (bytes)

Label String

Nesting Depth of 3

Value String

Number

DocumentSize

Threat

Protection


Flexible Access Management

ExtractIdentity

HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509/SSLSAML AssertionIP AddressLTPA TokenHTML FormOAuthCustom

Authenticate

ExtractResource

URLXPathSOAP OperationHTTP OperationCustom

LDAP/Active DirectorySystem/z NSS (RACF, SAF)IBM Security Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom

AuthorizeAudit &

Post-Process

MapIdentity

MapResource

LDAP/ActiveDirectorySystem/z NSSIBM Security Access ManagerNetegrity SiteMinderSAMLXACMLOAuthCustom

Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SpnegoGenerate SAMLGenerate LTPAMap Tivoli Federated Identity

External Access Control Server or Onboard Identity Management Store

input output

Identity & Access

Management


• DataPower appliance with ISAM module for security enforcement, traffic control &

management, application acceleration, transport bridging & message transformation

• ISAM for Mobile appliance for context based access (CBA), mobile SSO, strong

authentication including one-time password (OTP) & multi-factor authentication (MFA)

Mobile Gateway solution

ISAM for

Mobile

Rapidly deliver secure integration & optimized access for enterprise mobile applications

DataPower

ISAM

Module

Identity & Access

Management


Getting Social with IBM DataPower Gateways

DataPower on Slideshare LinkedInIBM DataPower Gateway Group

developerWorks BlogYouTubeIBM DataPower Gateway Channel

Twitter@IBMGateways

Online User Forum

• YouTube Channel: IBM DataPower Gateways

• Slideshare: IBM DataPower Gateway

• Twitter: @IBMGateways

• LinkedIn Group: IBM DataPower Gateway

• developerWorks blog: IBM DataPower Gateway

• GitHub: IBM DataPower Gateway

• Online User Forum

• Product page on ibm.com

• Product documentation

https://www.youtube.com/channel/UCV2_-gdea5LM58S-E3WCqew/feed

http://www.slideshare.net/ibmdatapower

https://twitter.com/IBMGateways

https://www.linkedin.com/groups?home=&gid=4820454&trk=anet_ug_hm

https://www.ibm.com/developerworks/community/blogs/ozairs/entry/the_business_value_of_datapower_gateway_appliances?lang=en

https://github.com/ibm-datapower/

https://www.ibm.com/developerworks/community/forums/html/forum?id=11111111-0000-0000-0000-000000001198

http://www-03.ibm.com/software/products/en/datapower

http://www-01.ibm.com/software/integration/datapower/library/documentation


Available Now: DataPower Handbook, Second Edition, Volume 1

• Complete rewrite, update of prior content, new content to

cover past six years of new products/features, including

9006/7.1!

• Volume 1 consists of Chap 1 DataPower Intro & Chap 2 Setup

Guide for physical and virtual appliances.

• Additional new Preface and two invaluable new appendices

• Available today on Amazon CreateSpace

• https://www.createspace.com/4745597

• Amazon.com worldwide & Amazon Kindle

• KindleMatch – buy hardcopy & get ebook for US$2.99

• Kinde Unlimited, Kindle lending

• Additional volumes will cover the rest of the first edition

content:

• Networking

• Development

• Administration

• Security

• Problem Determination

https://www.createspace.com/4745597


Step # 7 – API Security Nirvana!!!

Sahasrara


Innovation meets Enterprise

Measurable

Controllable

Managed

Monetized

Scalable

Private Cloud

Processes

Databases

Analytics

Mainframe

Services

SOA

API

Internet of Things

Mobile

Public Cloud

Social Web

Partners

API


Challenges to delivering an engaging Mobile experience

Internet of Things

Mobile

Public Cloud

Social Web

Partners

Private Cloud

Back-office Processes

Analytics

Services Databases

CRM

“THINK APIs”

How to cost-effectively support range of popular device platforms?

How to restless reinvent and

enhance Mobile experience faster?

How to secure the boundary without

disrupting the Mobile experience?

How to integrate Mobile activities into

existing back-end processes and data?

How to deliver the responsiveness that Mobile users expect

at Internet scale?

Backend Integration Scale & LatencyProtect PerimeterPace of InnovationRange of Devices


Data breaches on the rise


APIs give direct access to data

• Protect your APIs which has “my

personal” data in it

• It is your corporate, legal and moral

obligation

• Don’t tell me it is a “sophisticated

attack” when you didn’t follow

security best practices


Questions?

@AndyThurai

www.thurai.net/blog

https://apim.ibmcloud.com/

www.ibm.com/apimanagement

@ibmapimgt

Introduction to IBM WebSphere MQ - IBM Community

Documents

Transcript of Introduction to IBM WebSphere MQ - IBM Community