Tuesday, June 12, 2007

How To - OWSM 10.1.3 : Implement last mile security with gateway

OWSM gateway can be used to protect web services. Since, gateway runs as a separate process, the channel between gateway and the web service can remain unsecured (also known as last mile security). Also, direct access to the web service (bypassing the gateway) should be disallowed.

Any of the following options can be implemented to secure the channel between the gateway and web service,

  1. Network level access control - Restrict the web service machine to communicate with the gateway machine only. This is a quick and dirty solution, but may not be always desirable.

  2. Use client certificate auth SSL (also known as 2 way SSL) between gateway and web service - This will ensure that only the gateway app can talk to the web service.

  3. Install server agent on the web service - After verifying security for the incoming messages, the gateway would sign the message that it forwards to the web service using it's private key. The server agent would verify the signature, and validate the certificate used for signing. This will ensure that direct access to the web service is not possible.