The main advantage of service-oriented architectures is the extreme flexibility and efficiency they provide for developing and improving solutions, particularly the greater the number of applications and the more heterogeneous the environment.
The simple, easy and secure integration of security services provided by Public Key Infrastructures (PKI) in applications is a key factor in reducing costs during technological improvements aimed at optimising process efficiency.
Only a service-oriented approach can make the integration of security mechanisms (or trusted services) more simple by defining how the systems should interact and facilitating management to the extreme, particularly the greater the number of applications to be secured and the more heterogeneous the environment.
Service Oriented Integration
Service Oriented Integration or SOI contemplates system integration using only service interactions and offering the best-suited solution to the integration requirements of the aforementioned mechanisms.
The features of Service Oriented Integration are summarised below:
- It presents well-defined access interfaces that are standardised to the different services. Any application will therefore be able to use the service by simply knowing how to “connect” to it. For instance, if we know how to access a service specialised in verifying digital signatures, we will not include this complicated logic in the applications, instead, applications will consume the service by using the provided interface.
- The technology to locate a system offering a particular service is inherent to the interface itself. In fact, there is no need to use a fixed supplier for a given service. Regarding the previous example, it will not be necessary to know the location of the service when designing the applications since the location process will be carried out transparently at execution time.
- The service description is never modified but both the consumer and supplier can vary. This offers a high degree of flexibility since the application will continue to work regardless of the technology used and the changes applied. In the previous example, it is clear that the service can improve and change its trust parameters without having to modify consumer applications.
A service-oriented architecture (SOA) defines the interaction process between two entities where one of them carries out processes on behalf of another. Thus, certain entities provide a service to other entities that request it, and so we can refer to them as services.
Service-oriented architecture enables a type of integration based on the combination of the traditional objectives of all types of integration with a set of standard and flexible services accessible for other systems to interact with them by simply finding and using them at execution time.
Although numerous implementations of object-oriented architecture are possible, the most widely accepted ones are:
- Web Services based on the Simple Object Access Protocol (SOAP).
- Web Services based on REST (Representational State Transfer) design pattern.
Web Services (WS) are services offered through a Web server to other systems that need to consume them using Web protocols. WS are becoming increasingly standardised due to the use of XML (Extensible Markup Language) as the adopted standardisation mechanism for data formatting and exchange.
As said previously, SOAP is a kind of Web Services communication widely accepted, but not the only one.
Web services specification is described using the Web Services Description Language (WSDL) that allows for an abstract definition of the service regardless of the programming language used for its implementation. An abundance of tools on the market generate Java or .NET stubs based on the service’s WSDL definition by relieving the integrator/programmer of all tasks related to XML request/response management.
Service providers offer their services by publishing the WSDL in service directories such as UDDI (Universal Description, Discovery, and Integration), supplying the details of a specific service and its location. UDDI is an online Web service resource directory that provides specific details on the location and classification within taxonomies or the technical information of an abstract Web service specified in WSDL.
Message exchange between Web services client and server is carried out through SOAP (Simple Object Access Protocol). SOAP, can use any transport protocol (for example, HTTP, FTP, SMTP, etc.) although HTTP is the most commonly used. SOAP could be considered an abstract mechanism for remote invocation of operations or RPC (Remote Procedure Call).
In the general WS architecture (Figure 2-1), the different service consumer entities (consumer) have standard access to the services through clients (also called Web service clients or agents). The standardisation of the service is based on a common WSDL specification on which service Consumers and Providers are based.
Note that the above-presented architecture is a valid subset of a generic Web service architecture in which consumers can be end users or other services, i.e. services consuming other services.
Trusted Services Platform
In a service-oriented platform of trusted services, each service is designed to reduce the security risks associated with electronic business.
A service-oriented security platform will provide a simple Web Services based interface to access all PKI services. It will therefore allow this functionality to be incorporated in a simple, fast and reliable manner. More specifically, it can provide the following functionalities:
- Electronic Signature. By using different service components, it allows the verification and generation of electronic signatures. This component recognises different certification services providers and it allows the generation and custody of electronic evidences that will allow electronic signatures to be verified over time.
- Data Protection. Different service components provide data protection and custody, thus guaranteeing data maintenance and the access to data by authorized entities on a long-term basis.
- Key Management. This service component allows entities’ keys to be registered, consulted, revoked, and verified.
- Authentication, Authorization and Access Control Using a common service component, it is possible to authenticate, authorize and control the access to registered entities, enabling single sign-on and federation on the entire platform (among users, Web services and applications).
- Object and Entity Management. A common service component provides an XML-based uniform information model for all objects and entities in the platform. It completely masks formats (XML, ASN.1, Tables, etc.), information sources (SQL, LDAP, Files, etc.), locations (Intranet, Extranet, WAN, etc.), etc. It thus offers registration, retrieval and modification of entity information, particularly regarding identity, configuration and auditing.
- Auditing and Accounting. All the log and use/consumption information of the whole platform is handled in a centralised, uniform fashion. Any type of report can be generated through controlled access to activity information.
These services, in turn, require advanced services from one or several public key infrastructure services to perform digital certificate verification and time-stamping.
The TrustedX Platform
The TrustedX platform includes a complete set of trusted services based on Public Key Infrastructures (PKI) in a standard and service-oriented fashion. Any type of consumer can use them, whether they are end-user, application or another type of service.
The TrustedX platform offers the following benefits:
- A Complete Solution: The Safelayer solution provides all the necessary security components, including authentication, authorization, electronic signature, data protection, as well as key and electronic signature management, and custody technology. The platform can also incorporate KeyOne solutions for managing digital certificates and issuing time-stamps, such as KeyOne CA/RA, KeyOne TSA and KeyOne VA.
- Service-oriented Strategic Integration. TrustedX provides a solution that enables the integration of security functions into applications such as the trusted services in service-oriented architectures (SOA). This solution is clearly in line with the prevailing practice in the engineering processes of corporate information systems and brings to an end a phase that was dominated by software architectures with little flexibility.
- Greater Orientation Towards Business Processes. The key factor in decision-making processes is knowing exactly what the trust level of information is at all times - who the authors are and what their attributes are. One of TrustedX's unique features is its capacity to supply these attributes to the applications, thereby simplifying their logic, contributing to a greater trustworthiness and avoiding the need for changes to the applications during the dynamics of recognising new security services or new authentication mechanisms (for example: validation authorities or time-stamp).
- Greater Ease and Control. This solution allows a set of common trust policies as well as a centralised control and auditing system to be set up and maintained. For example, it eliminates the complexity associated with the number of certification authorities (CAs) and the different validation mechanisms (VAs), it allows federation with other trust domains in a way that is transparent to the applications, and it has the capacity to regulate the use of cryptography in critical business process, among other things.
- A simple solution, quickly implemented: TrustedX is an innovative solution that consolidates the Enterprise Trust Integration (ETI) concept in the context of Service-Oriented Architectures (SOA), in which all functions are defined as specialised services that use Web service technologies (WSDL/SOAP). TrustedX services can be used in three ways: (i) as Web services, using popular tools such as Axis o .NET, or using the XPath and XSLT standards as variants; (ii) using an API integrated in the applications that consumes the TrustedX services in a transparent way or, (iii) using the integration gateway which avoids modification of the applications and enables a chain of processing to be performed on data using XML Pipeline language.
- An open and flexible solution: Both the services infrastructure and the trusted services themselves are based exclusively on standards or drafts of current standardization works. There is compliance with the infrastructure standards, WSDL, SOAP, XML, UDDI and the security standards SSL, TLS, OASIS DSS, WS-Security and SAML. XACML, WS-Trust, WS-Federation and XKMS support is planned. Moreover, all the electronic signature and encryption formats are also supported: PKCS#7/CMS, S/MIME, PDF-Sig, XML-DSig, XML-Enc, CAdES and XAdES. This guarantees an infrastructure that is independent of the technology used (C++, Java, J2EE, .NET, etc.) and is interoperable with every product on the market using the above mentioned standards.
- Solutions that guarantee return on investment and investment protection: Digital signature simplifies processes and improves efficiency. The capacity of the Safelayer TrustedX platform to adapt to corporate processes and the incorporation of market standards guarantee, on the one hand, the reduction of implementation and start-up costs and protection of the investment on the other.