PKI for Web Services

Managing the PKI lifecycle for Web services is key to securing two-way authentication

The Problem: Managing PKI Certificates

Public Key Infrastructure (PKI) provides a foundation for validating identity and message authenticity electronically through the use of trusted digital certificates. On the Web, PKI is most commonly used to authenticate the digital identity of public e-commerce servers. The use of PKI as a general authentication and security technology, however, has been less widespread. Provisioning and maintaining PKI has proven to be so complex that it is rarely used for client systems with human operators where entering authentication credentials manually is a simple and reliable option.

Manually entering credentials is not an option for Web services where machine-to-machine interactions predominate. In fact, the core set of Web services security standards: XML Encryption, XML Signature, and WS-Security are all dependent on digital certificates on both the Web service client and provider. Without a mutual certificate exchange and PKI-based trust relationship, two machines have no provision to authenticate one another and ensure communication privacy, integrity, and accountability.

PKI is therefore an essential technology for securing Web services. Provisioning and managing PKI, however, is an overwhelming programming and administrative challenge. PKI requires the establishment of a root Certificate Authority (CA), negotiation of key exchanges, distribution of certificates to machines, certificates registration with the CA, binding of certificates to machine identities, lifecycle management of certificates from issuance to revocation, integration of certificates into a Web service client and provider, programmed manipulation of the certificates into digital signatures, and binding of those tokens to different parts of a SOAP message as required. This chain of operations represents a potentially huge burden on developers and security administrators.

Solution: PKI Lifecycle Management

There are three requirements for effective PKI in Web services. First there must be a trusted certificate authority that can validate the authenticity of a digital certificate to a consumer of that certificate. Secondly there is a requirement for easily generating and managing certificates on client applications. This is especially challenging in Web services where clients are not operated by humans. Lastly there is the challenge of negotiating and exchanging security keys between a client and service. Current generation application platforms or development tools don’t address these PKI requirements on either the Web service provider or client.

Layer 7 Value: Built-in PKI Authorities

The Layer 7 Technologies' SecureSpan product line is the first Web services security solution to automate the whole PKI provisioning and management lifecycle for Web services. With SecureSpan, programmers are insulated from the complexity of implementing and maintaining PKI across distributed Web service clients and providers. PKI provisioning becomes a simple administrative task that can be seamlessly integrated into a Web service transaction without any development effort.

For customers that have already implemented a private CA or use a public CA like Verisign, the SecureSpan XML Firewall can be configured to use certificates from existing repositories and manage their distribution to Web services clients. Where no CA already exists or where tactical integrations do not require integration to a root CA, the SecureSpan XML Firewall also bundles an onboard CA with an optional hardware-based key store. Using the onboard CA, an administrator can perform certificate binding and lifecycle operations directly from the SecureSpan Manager, much as they do for any other security preference.

While the SecureSpan XML Firewall addresses the provider-side of the PKI problem, implementing PKI for Web services still requires that certificates are generated on a client application, validated by the CA, and integrated into Web service messages. To address this first mile client problem, Layer 7 Technologies offers the SecureSpan XML VPN Client, a client-side application that provides turnkey client certificate provisioning, signing, and tokenization. Without programmer intervention on the Web service client, the SecureSpan XML VPN Client will bootstrap a trust relationship with one or more SecureSpan XML Firewalls, generate certificates for each XML Firewall, register itself with the XML Firewall CA, and then perform all of the necessary key exchange and cryptographic operations for messages destined for a Web service proxied by the SecureSpan XML Firewall.

By using the combination of the SecureSpan XML Firewall and XML VPN Client, PKI for Web services becomes a turnkey and practical operation. Implementing true WS-Security and signing or encrypting message elements becomes a simple matter of dragging and dropping the corresponding security assertion in the SecureSpan Manager user interface. This eliminates the cost and complexity of implementing and managing PKI, allowing Web services integrations to realize the benefits of strong authentication without the associated pains.

Share: | More

Resources

White Paper:
Web Services and PKI: The How and Why

Download PDF | 196 Kb