tags:

views:

38

answers:

4
+1  Q: 

Authenticating servers - what's a good approach?

Edit

Thanks for the suggestions; to clarify, we already use SSL, but that doesn't generally authenticate the requesting party, merely the responding party (IIRC?). I'll look into the other ideas right away, thanks for the brainstorm!

Background

The organization I work for has a heterogeneous bunch of servers providing various services throughout the network. They're each written in their own idiosyncratic way and have their own protocols for querying and modifying data. Unsurprisingly, communication between these systems is constantly growing, and keeping everything in sync and able to communicate is getting harder. To improve maintainability, we want to switch to using web-services internally; this would help simply to improve maintainability to have some kind of portable, standardized data-interchange + messaging format. With more communication also comes the need to trust other servers and the messages they're sending.

Question

We have a bunch of servers offering interrelated services via web services (i.e. SOAP). All HTTP traffic is via SSL. How can the requesting servers ensure that they're talking to the right responding server? SSL by default authenticates the receiver to the sender. E.g. assume the network is hacked or someone wants to change some info (by calling a method) without authorization. How can we prevent such an agent from simply spoofing the sender?

WS-Security implementations from various vendors (say, .NET and java) don't seem to play nice with each other - in particular when services get more complicated (with stuff like transaction support), so that solution is unfortunately probably not a good one.

We have a (trusted) LDAP server against which users are authenticated; storing server authentications here is natural - but how? Having a username/password for a server is somewhat pointless, since if you need to send those to another server to authenticate yourself, that server might not be who it claims to be, and in any case, if it's hacked, it now can pretend to be you...

Perhaps we're missing an obvious solution, so I won't muddy the waters with our own ideas just yet - what would you do?

+1  A: 

The obvious answer here is certificates (some sort of internal PKI). But getting them to work with your various languages and so on may be complicated; and just the management of it may itself be a security nightmare.

Thus, as a way of "cheating" I wonder if you can't have them all write to a centralised 'sync' server of some type, and then they all query it. At least in this way, you make your authentication process much simpler, and you get the benefit of centralised data. I don't know if it's relevant for you, but it's the first thing I'd try and do, in such a situation.

Noon Silk  2010-02-11 11:14:10
I don't quite follow your intent. Let's say as example Server A queries B and calls B's getCurrentTime() method - but B should only execute that method if it can verify the identify of A - how does this "writing to a central sync server" work in this example scenario?
Eamon Nerbonne  2010-02-11 14:42:02
Eamon: I was under the impression your underlying desire was to centralise data, not necessarily perform actions/calls. In that case, a certificate-based system is appropriate, but it will involved a lot of management, if you have a lot of servers who are changing, and so on.
Noon Silk  2010-02-11 22:05:50
Centralising the data is not feasible for use, the best we can do is standardize it so it's at least easily cross-referenced - so that's the aim. The cross-referencing will then involve such "RPC"-like actions to request the bits from each silo that are needed for a particular purpose and to ensure that crucial data (id's and stuff) remains in sync in the various silos.
Eamon Nerbonne  2010-02-12 09:57:50
Eamon: Fair enough then.
Noon Silk  2010-02-12 10:43:09
+1  A: 

At a web service level you've got things like WS-Security and WS-Trust, but sounds from your description like maybe those are the bits you're having issues with?

At a lower level you could access the web services via SSL and use the SSL infrastructure to ensure the servers are who they say they are.

Since this is internal you can sign your own certificates using something like TinyCA and install the CA root certificate on each server manually rather than paying for Versign/Thawte certs.

Paolo  2010-02-11 11:16:25
Yep, WS-security (etc) worked fine in small examples, but less reliably so when mixing environments, sometimes failing silently, and often without adequately explaining why - each server needs to understand the WSDL provided and should automatically see the need for auth if a method is so marked, but that turns out not to work reliably.
Eamon Nerbonne  2010-02-11 14:45:22
+1  A: 

I would try to use TLS certificates. Every plattform should be able to handle this http standard mechanism.

deamon  2010-02-11 11:17:19
+1  A: 

You need a PKI. You can do this with stunnel, wrapping the servers. Stunnel can then be used to check certificates and authenticate, without having to alter the server code at all. Then, as you work on the servers, you can move them SSL/TLS at your own pace, without even having to do both ends at once.

Andrew McGregor  2010-02-11 13:50:09
We use SSL (edited to add that to the Q) but that only authenticate's the responder, right? I want to authenticate the requesting party as well - i.e. to avoid a call to deleteUser() from a nefarious third party.
Eamon Nerbonne  2010-02-11 15:01:06
Not necessarily; you can have the responder check initiator certificates. In other words, check that the initiator has a certificate that a) you issued and b) is not revoked.
Andrew McGregor  2010-02-11 22:13:17
Thanks for the idea! The no-app-modification required aspect isn't really necessary, but the loose coupling between app+auth certainly might be worth something nevertheless.
Eamon Nerbonne  2010-02-13 11:57:36

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?