Security Guide : Getting Started with VisiSecure

Getting Started with VisiSecure
As more businesses deploy distributed applications and conduct operations over the Internet, the need for high quality application security has grown.
Sensitive information routinely passes over Internet connections between web browsers and commercial web servers; credit card numbers and bank balances are two examples. For example, users engaging in commerce with a bank over the Internet must be confident that:
VisiSecure lets the client authenticate the bank's server. The bank's server can also take advantage of the secure connection to authenticate the client. In a traditional application, once the connection has been established, the client sends the user's name and password to authenticate. This technique can still be used once a VisiSecure connection has been established, with the additional benefit that the user name and password exchanges will be encrypted. VisiSecure provides support for any number of authentication realms providing access to portions of distributed applications. In addition, with VisiSecure you can create authorization domains that delineate access-control rules for your applications.
VisiSecure overview
VisiSecure provides a framework for securing VisiBroker and BDOC. VisiSecure lets you establish secure connections between clients and servers.
VisiSecure design flexibility
Micro Focus has designed VisiSecure to work with a variety of application architectures, so that it can support many different current and future architectures. However, while VisiSecure represents a powerful security architecture, alone it cannot fully protect your servers. You must be responsible for physical security, and configuring you base web server (host) and operating system services in the most secure manner possible.
Pluggability
VisiSecure allows many security technologies to be plugged in. Pluggability is provided at various levels. Security service providers can plug in and replace the entire set of security services and application developers can plug in smaller modules to achieve custom integration with their environment. The only layers which are not pluggable are the CSIv2 layer and the transport layer which are tightly integrated with the internal implementation of the VisiBroker ORB and interact heavily with each other.
VisiSecure for Java
VisiSecure is 100% Java and supports all security requirements of the J2EE 1.3 specification. VisiSecure uses the Java Authentication and Authorization System (JAAS) for authentication, the Java Secure Socket Extension (JSSE) for SSL communications, and the Java Cryptography Extension (JCE) for cryptographic operations. Most of the APIs for Java applications reflect the existing JDK or additional Java standard APIs. Care has been taken not to duplicate APIs at the different security layers. In some cases, the VisiSecure feature set exceeds the J2EE 1.3 security requirements.
VisiSecure for Java features
VisiSecure has the following features:
Enterprise Java Beans (EJB) Container Integration: VisiSecure seamlessly integrates EJB security mechanisms with the underlying CORBA Security Service and CSIv2. CORBA offers enhanced features to the security architecture of your bean. By utilizing VisiSecure, you have options additional to the relatively simple EJB security model.
Web Container Integration: VisiSecure integrates with the web container by providing mechanisms to the web container that allow its own authentication and authorization engines to propagate security information to other EJB containers, as necessary. For example, a servlet trying to invoke an EJB container's bean will act on behalf of the original browser client that triggered the initial request. Security information supplied from the client will be propagated seamlessly to the EJB container. In addition, the web container authentication and authorization engine can be configured to use authentication LoginModules and authorization rolemaps supplied by Micro Focus.
Security Services Administrator: The administration and configuration of VisiSecure is performed using simple-to-use properties and supports tools like the Java keytool.
GateKeeper: You can use GateKeeper to enable authenticated connections across a high-level firewall. This allows clients to connect to the server, even if the server and the application client are on opposite sides of a firewall. Use of the GateKeeper is fully documented in the VisiBroker GateKeeper Guide.
Secure Transport Layer: VisiSecure utilizes SSL, the primary secure transport level communication protocol on the Internet, as a secure transport layer. SSL provides message confidentiality, message integrity, and certificate-based authentication support through a trust model.
VisiSecure for C++
VisiSecure for C++ offers similar features to VisiSecure for Java. See “VisiSecure for C++ APIs” and “Security Properties for C++” for detailed information.
VisiSecure for C++ Features
VisiSecure for C++ has the following features:
Choice of security provider: VisiSecure for C++ enables you to choose either an OpenSSL security provider or the default Certicom security provider. See “Specifying the Security Provider”.
Authentication and Authorization: The Authentication and Authorization model are similar to VisiSecure for Java. This extends the capability of VisiSecure for C++ applications.
Security Services Administrator: The administration and configuration of VisiSecure is performed using simple-to-use properties.
Secure Transport Layer: VisiSecure utilizes SSL, the primary secure transport-level communication protocol on the Internet, as a secure transport layer. SSL provides message confidentiality, message integrity, and certificate-based authentication support through a trust model.
Basic security model
The basic security model describes VisiSecure and its components from a user's perspective. This is the logical model that VisiSecure users need to understand, configure and interact with. The security service groups entities of a system into the following three logical groups (domains):
Authentication realm (User domain): simply a database of users. Each authentication realm describes a set of users and their associated credentials and Privileges attributes.
Resource Domain: represents a collection of resources of a single application. The application developer defines the access control policies for access to resources in the application.
Authorization Domain: defines the set of rules that determines whether an access attempt to a particular resource is allowed.
The following figure displays the relationship among these domains.
Figure 1
These three VisiSecure domains are closely related.
1
2
3
Authentication realm (user domain)
An authentication realm, simply described, is a database of users. Each authentication realm describes a set of users and their associated credentials and privileges, such as the user's password and the groups to which the user belongs, respectively. Examples of authentication realms are: an NT domain, an NIS or yp database, or an LDAP server.
A “realm” represents a configuration entry that represents an authenticating target.
An authentication realm is defined both by the authentication mechanism such as LoginModules it uses, as well as a set of configuration options customized to point to the source of the data which contains the user information.
For example, if you are using LDAP, then the authentication realm specifies LDAP as the authentication protocol, specifies the name of the server, and specifies other configuration parameters. When you log on to a system, the system is authenticating you. For more information on setting up an authentication realm, see “Authentication”.
Resource domain
A resource defines an application component that VisiSecure needs to protect. VisiSecure organizes resources into resource domains containing every resource in an application. This means every remote method or endpoint that is exposed by a server is essentially a resource.
The application developer defines access control policies for access to resources in the application. These are defined in terms of roles. Roles provide a logical collection of permissions to access a set of resources. For more information, see “Authorization”.
In addition, applications may choose to be more security aware and provide access control for more fine grained resources such as fields, or access to external resources such as databases. The EJB and Servlet specifications provide standard deployment descriptor information that allow applications to define their access policies in terms of the set of roles required to access a given method.
Authorization domain
The authorization domain allows users to act in given roles. VisiSecure grants privileges to access resources based on these roles. When VisiBroker applications pass user identities from one application to another, the identity contains user information, and the permissions based on the specified roles. The caller's identity is then matched with the required rules to determine whether the caller satisfies the required rules. If the caller satisfies the rules, access is granted. Otherwise, access is denied. For more information, see “Authorization”.
Distributed transmission
For a distributed environment, in addition to the three domains that make up the basic security model, the following must be considered:
The VisiSecure Service Provider Interface (SPI) provides interfaces and classes to address secure transportation, assertion, and assertion trust. The transmission (or interoperability) is handled by the underlying CSIv2 implementation. Because the implementation of the SPI is closely bundled with the VisiBroker ORB, it cannot be separated from the core as a generic SPI for other languages.
Specifically, the VisiSecure SPI classes enable customization of your Security Service in the following:
Specifying the Security Provider
Prior to version 8.5 SP2, VisiSecure supported the Certicom security provider. At version 8.5 SP2, VisiSecure for C++ supported a choice of security providers, Certicom or OpenSSL. At VisiBroker 8.5 SP4, the only security provider supported by default is OpenSSL and Certicom is deprecated.
However existing VisiBroker users upgrading from previous versions can switch between security providers by using the SelectSecurityProvider utility which was delivered as part of SP2. You can use this to specify your security provider after installation, or to change it subsequently. To start this utility:
On Windows systems, run <VBROKERDIR>\bin\SelectSecurityProvider.cmd, either from a command prompt or by double clicking.
On UNIX systems, run
$VBROKERDIR/bin/SelectSecurityProvider.sh.
You are prompted to close any open VisiBroker instances, and then prompted as follows:
Please select a security provider:
 
1) Certicom
2) OpenSSL
3) Exit with no changes
 
Select option:
Select the option you require. VisiBroker reconfigures and confirms that the selected security provider is in operation, with the message:
Configuring <name> security provider...
Done.
You can alternatively specify a command line parameter such as:
bin\"SelectSecurityProvider.cmd" certicom
bin/SelectSecurityProvider.sh openssl
This runs the utility to the same effect, but does not provide any prompts.