JaxView: Centralize SOA and Cloud API Security Enforcement
Security remains an ongoing concern in SOA & Cloud deployments:
- Do your Web services apply security policies consistently?
- Can changes to security policies be easily implemented across all services?
- Do your developers lose productivity implementing security functions for individual services?
JaxView centralizes security management for Web services to save time and ensure consistent security implementation. JaxView removes the development overhead and reduces risk of error inherent in implementing and managing security functions on individual service interfaces.
Single Point of Security EnforcementSave implementation time and ease security management by using JaxView as a service proxy to check and enforce policies on XML message content. With JaxView, you can:
- Authenticate and validate users and services requests
- Enforce security policies for service access and usage
- Automatically enforce security policy changes
Extend Security to the First and Last Mile
A frequently overlooked security risk is in the "last mile" - the application server itself. When deployed on the application server, JaxView is able to extend its security enforcement functionality to include the security policies on the application server - all the way to the last mile.
Similarly, a service is not secure unless requests from the consumer are validated in the "first mile", before they interact with critical systems. JaxView is able to secure the initial consumer request, ensuring that only authentic requests reach your critical systems.
JaxView Features for SOA & Cloud APIs Security
When deployed as a service proxy, JaxView can be used as a policy enforcement point for centralized runtime governance of service-oriented environments. JaxView can also deploy small agents on the application server to enforce policies. Both deployment options include the following capabilities:
Security Proxy and XML Firewall FunctionsUse JaxView as a XML gateway or XML firewall component to enable centralized security for Web services and save implementation time and ease security management. This mode allows you to use JaxView to:
- Authenticate users against LDAP and Identity Management Services
- Map tokens using Secure Token Service (STS)
- Authenticate and authorize consumers using Secure Token Service (STS)
- Handle incoming and outgoing SSL/TLS handshakes
- Block access to individual service operations based on consumer ip address
- Support connections using X.509 certificates or Kerberos
- Encrypt or decrypt XML message content for both request and response
- Insert Digital signatures in the request or response xml payload.
- Validate XML digital signatures and WS-Security headers
- Block non-compliant service requests based on message content
- Validation and insertion of SAML asserstions
- Support for Windows Integrated Security in kerberos or NTLM
- Allowing consumer access to the service based on ip address of the consumer
- Integration with Identity providers such as CA SiteMinder, RSA ClearTrust, Oracle Access Manager, OpenSSO, PicketLink STS and Tivoli Access Manager using SAML assertions or Kerberos for Single Sign On Functionality
- Keberos Authentication where JaxView can be either on the client side of authentication or Server side.
Consumer Authentication and Authorization
One of JaxView's main XML Firewall features is that it can provide authentication and authorization for access to your services. The authentication and authorization can be done in a multiple different ways by setting specific policies for the service
- Through an internal directory - JaxView can authenticat the the service consumer and be authentication and authorized to consume a specific service operation through an internal directory with in JaxView configuration.
- Through LDAP or Active directory - JaxView can authenticate consumers of the service ussing LDAP v2 or v3 with in LDAP server or active directory. This could include complex searches through LDAP to make sure the consumer is authorized to use the service
- Kerberos Authentication - JaxView can act as the client in the Kerberos negotitiation that interacts with a Keberos ticketing server or on the server side as the service server during the Kerberos negotiation. It has support for keytab files.
- X509 Authentication - JaxView can authenticate the consumer by checkig the
validity of the certificate of the client by performing certificate authentication
JaxView can protect agains a variethttp and XML threats. Below is the list of some of the threat types JaxView can protect againt these types of threats by performing prevention, protection and screening. A subset of these threats that JaxView can protect from nclude:
- Replay attacks
- XML bomb attacks
- SQL injection
- Parameter tampering
- Over sized payloads
- Schema poisoning
- XPath injection
- XML morphing
- Denial of service attacks
Single Sign On
Use the JaxView service proxy deployment option to integrate with both a variety of Identity providers or Service provider to generate tokens such as SAML tokens for session caching and Single Sign on functionality. JaxView can embed the token into the payload and also send the token back to the client application and manage sessions caching with expiration. JaxView integrates with STS and Identity management providers such as CA SiteMinder, RSA ClearTrust, Oracle Access Manager, OpenSSO, PicketLink STS and Tivoli Access Manager.
Embedded Secure Token Service(STS)
JaxView includes a Secure Token Service for creation and validation of tokens for single sign on functionality. You can have a single JaxView work both as a STS and a gateway or separate the functionality. You can find a 10 minute demonstration of JaxView Secure Toke Service here.
Runtime Policy Enforcement Functions
Use the JaxView service proxy deployment option to combine enforcement of automated policies on service access and usage with visibility into policy compliance. JaxView enables you to:
- Block access to individual service operations based on time of day or date
- Create and manage WS-Policy assertions using JaxView's internal repository and WS-Policy tools
- Automatically update service and policy information from a UDDI-compliant registry
- Monitor for policy compliance and compliance failures
- Set daily or hourly limits on the number of service requests that are forwarded
- Block service messages that exceed a certain size
- Throttle messages
- Apply protocol conversion (i.e.: JMS -> HTTP or vice versa) with an open API for all protocol customization
Closed-loop Service and Policy Management Functions
Increase your efficiency in managing services and runtime policies by integrating JaxView with a UDDI service registry. Use JaxView's bi-directional registry synchronization capability to:
- Automatically query the service registry and update service information
- Automatically configure new service monitoring configurations in JaxView by querying a service registry
- Automatically query the service registry and update JaxView policy implementations
- Create, update and manage policies through the JaxView interface
- Export JaxView policy implementations as WS-Policy-complaint assertions to a UDDI registry
- Automatically update the service registry with service information and policy changes made using the JaxView interface
Web Service Policy Profiles
JaxView enables you to create a set of policy profiles and assign them to a group of services as they are discovered. You can:
- Create policy profiles once and assign them to a group of Web Services
- Assign multiple policy profiles to a Web Service. As an example you can have one set of policies for internal consumers of the service and another set for external consumers of the service.