Novell and Layer 7

IDENTITY AND ACCESS MANAGEMENT FOR SOA

XML based Web services are transforming how applications get built, integrated and shared. Allowing applications to call and access one another using standards based APIs and message protocols simplies cross-platform integration and allows application functionality to be reused across multiple business processes.However, managing the security terms under which applications can access one another over the Internet isnt easy. Machineto-machine Web service interactions introduce a range of potential risks and vulnerabilities including: - Web services can access one another through intermediary Web services requiring access control mechanisms that can span multiple Web service hops - Web services can be damaged by badly formatted or malicious data requiring a mechanism to screen and validate data streams before they reach Web service endpoints - Web service interactions can span multiple identity domains requiring automated credential translation and federation. - Web services expose functionality through open APIs requiring an ability to selectively close and virtualize service interfaces - Web services exchange human readable XML data requiring selective application of message level privacy and integrity - Web services can malfunction requiring real-time exception detection and resolution - Web services require compliance with different emerging standards like WS-Security, WS-SecureConversation, WS-SecureXchange, WS-Trust, WS-SecurityPolicy requiring a way of insulating service endpoints from changes in the standards Coding these security requirements into the Web services themselves is both error prone, difcult to manage and impossible to audit. A superior solution is a combination of Web service security gateway to centrally enforce Web services security as a proxy on behalf of a multiple Web service endpoints, an identity based access control system for establishing a common directory of user, machine credentials and permissions across both Web and Web services and an XML VPN Client capable of simplifying the federation of Web service interactions. The combination of the Layer 7 SecureSpan XML Firewall, XML VPN Client and Novell Access Manager can deliver customers an integrated solution for managing identity centered security for Web services today.

Access and Single Sign-on for Web Services

Working with Novell, Layer 7 Technologies provides customers the option of reusing their existing identity and access infrastructure for controlling access to their Web service resources. The Layer 7 SecureSpan XML Firewall provide customers a simple to deploy and congure security gateway optimized for XML and the associated security standards like WS-Security, WS-SecureConversation, WS-SecureXchange and WS-SecurityPolicy. It can also extend Novell Access Managers Web Single Sign- to Web services.

Fine-Grained Authorization and Entitlement

Novell and Layer 7

IDENTITY AND ACCESS MANAGEMENT FOR SOA

XML Firewalling for Web Services

Protecting Web services resources against malicious attack or damage brought on by badly structured data is vital for ensuring service reliability and continuity. The Layer 7 XML Firewall provides a clusterable software or hardware gateway that can be dynamically congured to protect Web service endpoints against attack and damage while enforcing diverse message level security preferences like message routing, translation, ltering, redaction, encryption, integrity, and availability.
XML Firewall - Identity Based SOA Security Federated Web Services

Layer 7 SecureSpan XML Firewall and VPN Features

Integration with Novell Access Manager Web service API virtualization and lifecycle management Enforcement of service level and operation level access policies WS* and WS-I compliant message security Advanced SAML 1.1 and 2.0 processing for Web services Federation of Web services across identity domains Content based processing including routing, translation, ltering, redaction etc. Transaction monitoring, alerting and audit Software or hardware deployment options Optional onboard crypto acceleration and HSM key store FIPS compliance

Federation for Web Services

To support cross-domain scenarios, the SecureSpan XML Firewall has the capacity to communicate security policy to a client application in an outside identity domain through the use of an optional Layer 7 client side proxy. The XML VPN Client from Layer 7 uses standards based protocols for negotiating identity and security preferences with the SecureSpan XML Firewall simplifying security management across federated domains. This includes the ability to leverage tokens generated in Novell Access Manager for identity credentials used in federated communications.

Supported Standards and Specications

XML 1.0, SOAP 1.1, REST, AJAX, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema, LDAP 3.0, SAML 1.1/2.0, PKCS #10, X.509 v3 Certicates, FIPS 140-2, Kerberos, W3C XML Signature 1.0, W3C XML Encryption 1.0, SSL/TLS 1.1 / 3.0, SNMP, SMTP, HTTP/HTTPS, JMS 1.0, MQ Series, Tibco EMS 4.0, WS-Security 1.0, WS-Addressing, WS-Trust 1.0, WS-Federation, WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WS-SecureExchange, WSIL, WS-I, WS-I BSP, UDDI 3.0

Form Factor
1U rack mount appliance, 64-bit multiprocessor platform with XML acceleration ASIC, optional SSL/crypto acceleration with HSM, four GE/FE NICS and dual PSUs Gateway software for Red Hat and SUSE Linux and Solaris platforms* Soft appliance supporting a broad range of host operating systems

*Note: Some features available in appliance version only

Web Site: www.layer7tech.com Email: info@layer7tech.com Phone: 800.681.9377 Copyright 2008 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc.