Microservice security 12 · – Istio, nginx • DHARMA FoundationalConcepts k L a s FFE t. 21 MicroserviceApplications-Security, Logging, Tracing Network: TLS, SSL, openSSL • TLS

Microservice ApplicationsSecurity, Logging, Tracing

Matthias Fuchs, @hias222Oracle Code Berlin, 2018/06/12

Microservice Applications - Security, Logging, Tracing3

Agenda• Microservice Example• Details

– Logging– Security, OAuth, TLS– Tracing

• Lessons Learned


Microservices Example Flow• Implementatition

Cloud– Access through

Loadbalancer– Login with OAuth– Angular App

• Logging Tracing– Docker Images– Logging Service

4

AuthorizationServer

OAuth

Frontend

Angular/nginx

Services

Rest/SpringResource Server

Frontend

Angular/nginx

Docker Container

Loadbalancer

Services


Services


Persistence Logging

Call Web AppLoginService CallWeb Page


Integrated Cloud Services• Logging

– Oracle Management Cloud (Agents)– Elastic Search Kibana (Cloud Watch, Lamdba, Elastic)

• Authentication/Authorization– Oracle Identity Service– Cognito, Keycloak, OAM, Ping Identity

• Docker Services– Infrastructure Container Service - Kubernetes– Enterprise Container Services (AWS), Openshift– Google Kubernetes Engine

ServiceRest/Spring

Resource ServerServce Rest/SpringResource ServerService

Logging

Identity

Container


More Cloud Services

• Parameter– Object Storage, maybe File Storage– S3 Buckets, Systems Manager Parameter Store

• Secrets– Oracle Key Vault (Cloud ready?)– Identity and Access Management (IAM) – AWS Secrets Manager– Hashicorp Vault

?




• Lessons Learned


Logging/Monitoring Cloud Services

ServicesServicesServicesServicesAgent

Dashboard Analyze

Logging

Infrastructure Data

Metric App Data

Self Service

Cloud Service


Oracle Cloud AgentCloud agents on hosts where entities are running. Cloud agents collect metrics and logs data that is processed, analyzed and visualized in Oracle Management Cloud.

APM agents specifically for monitoring applications end to end. APM agents can be configured for a wide range of application servers and they collect metrics that are processed, analyzed and visualized in Oracle Application Performance Monitoring.


Oracle Cloud Agent Entities• Entity: A monitored resource such as a database, a host server, a compute resource, or an

application server.https://docs.oracle.com/en/cloud/paas/management-cloud/gfadg/managing-oracle-management-cloud-entities.pdf

• Oracle Application Performance Monitoring, Oracle Infrastructure Monitoring, Oracle Orchestration, Oracle IT Analytics, Oracle Log Analytics, Oracle Configuration and Compliance, Oracle Security Monitoring and Analytics

• Example Entities:

https://docs.oracle.com/en/cloud/paas/management-cloud/gfadg/managing-oracle-management-cloud-entities.pdf


Metric

• Standard of measure on process or

property

• Creates measurements

• Content

– Availability

– Performance Merics

– Alerting

– CPU, Memory, IO, ..

– Application Specific JAVA, DB, …

• Format

– Values

– Dashboards

Logs

• Information of Dev

• Content

– Technical/Business Logs

– Service Names

– Trace Ids, Correlation IDs

– User Names

– Sometimes measurements:

Response Times, Request Size

• Format

– Json, XML, Text

– Dashboard

Metric and Logging


Logging in Microservices• Centralize and

Externalize Log Storage• Log Structured Data• Correlation IDs• Dynamic Logging Levels

and async Logging• For analyses and search,

user information, security concept


Log View

Oracle

Kibana/Lambda/CloudWatch


User information• Security aware• Security Concept

Correlation ID• Basic for Tracing• Common log structure

(JSON, XML, ..)

Logging in Microservices

Security Tracing




• Lessons Learned


IAAA Framework for Microservices APIs

• Must support multiple identities and attributes(end users, system components, domains)Identification

• Must support multiple authentication methodsas well as delegated authenticationAuthentication

• Authorization for a single request may bedecided at multiple points in the request pathAuthorization

• Capture of relevant security data or metadatafrom API messagesAccountability


Current Approches• Network-Level Controls

– Localhost, Network isolation SSL

• Application-Level Controls (Tokens)– Oauth, OpenID Connect, JWT

• Infrastructure – API Intermediaries– API Gateway, Service Proxies– Network Overlays– Kubernetes, CloudFoundry, AWS– IAM, Rules …

• SPIFFE• Secure Production Identity Framework for Everyone• SPIFFE is a set of open-source standards for securely

identifying software systems in dynamic and heterogeneous environments

• Application-Level Controls (Traditional)– Cookie-based Sessions, SAML

• Emerging Approaches– Serverless, Service Mesh– Istio, nginx

• DHARMA Foundational Concepts

Net

wor

k

SAM

L

Infr

aTo

oken

s

SPIF

FEN

ext


Network: TLS, SSL, openSSL• TLS separate protocol mostly

based on HTTP• As interceptor between existing

protocols e.g. HTTP - TCP• Interceptor on other application

protocols (SMTP, Kafka, ..)• Transparent out of the scope of

user or client• Not possible with all transport

protocols e.g. UDP• Always use it

11.06.18 21


Network: TLS, SSL, openSSL• Higher Layer

– Handshake– Change Cipher Spec, depends on handshake– Alert Protocol– Application Data Protocol

• TLS Layer– Fragment– Compression– Encrypt to cipher spec– Add Header

11.06.18 22

Application Layer

Transport Layer

Network Layer

SSL/TLSHigher Layer Subprotocol

TLS Layer Subprotocol

e.g. HTTP

TCP

IP


https://www.youtube.com/watch?v=iqigxGccezI Modern Secret Managements with Vault, HashiCorp

https://www.youtube.com/watch?v=iqigxGccezI

Microservice Applications - Security, Logging, Tracing2411.06.1824

Tokens: OAuth 2.0/(OpenID Connect)

• OAuth History– Open Authorization– ca. 2008: OAuth 1.0 IETF Group– 2012: OAuth 2.0– ca. 2014 OpenID Connect

(Extension ofOAuth 2.0)• Before: SAML - SSO for web

applications– Security Assertation Markup

Language– SAML since 2002, SAML 2.0 2005


OAuth

Implicit

ResourceOwner

Credentials

Client Credential

Authorization Code

Redirect/Callback

Call: response_type=access_token&client_id&redirect_uri

Response: Access TokenRefresh Token

Backward OAuth 1.0

Call: grant_type=passwordUsername/password + Client credentials

Response: Access Token or Refresh Token

Call: grant_type=client_credentialsClient_id/client_secret

Response: Access TokenClient: Application

Redirect/CallbackCall: Response_type=code&

client_id&Redirect_uriResponse: Authorization Code2 Trip: Access Token

Java ScriptThird Party


• API Gateway Central Midtier Loadbalncer

• Switches Security

• Many more Features like throttling or routing

Infra: API or Access Gateway

Loadbalancer

Frontend

Angular/nginx

Services


Frontend

Angular/nginx

Docker Container

Services


Services


API GAteway

Tokens

e.g. SSL+Header Information

Other Services

Mutual TLS


Infra: Example Access GW

Access MgmtProxy

IdentityFederation

LDAP

CloudFoundry

3rd PartyMutualTLSRouting

TLS Authentication

Header

AppsAppsApps

MutualTLS

OpenID Token

Login, Token

App -> AuthService




• Lessons Learned


TracingWikipedia:In software engineering, tracing involves a specialized use of logging to record information about a program's execution.This information is typically used by programmers for debugging purposes, and additionally, depending on the type and detail of information contained in a trace log, by experienced system administrators or technical-support personnel and by software monitoring tools to diagnose common problems with software. Tracing is a cross-cutting concern.


Microservice and Tracing• Distributed Tracing• Collect all Traces on central position• Correlated our tracing Information

Extended Logging

Create Correlation

ID

Take existing Correlation

ID

Collect central for

analyze


Poor Man's Distributed TracingOne solution is at the beginning of the call chain we can create a CORRELATION_ID and add it to all log statements. Along with it, send CORRELATION_ID as a header to all the downstream services as well so that those downstream services also use CORRELATION_ID in logs. This way we can identify all the log statements related to a particular action across services.

https://dzone.com/articles/microservices-part-6-distributed-tracing-with-spri


Where to create Correlation ID

1. Client2. LB – API GW3. Identity4. First Service

AuthorizationServer

OAuth

Frontend

Angular/nginx

Services


Frontend

Angular/nginx

Docker Container

Loadbalancer/ API Gateway

Services


Services


Persistence Logging

1

2

3

4


Enterprise Way: Correlation IDs

ECIDExecutionContext ID Down to DB

Headertrace andspan ids

HeaderX-Amzn-Trace-Id

Identity

HeaderX-ORACLE-DMS-ECIDX-ORACLE-DMS-RID

… or build your own library


Example: ID Tracing – shared Library

Microservice Applications - Security, Logging, Tracing

Agenda

• Microservice Example• Details


• Lessons Learned


Lessons Learned• Infrastructure and Development, DevOps

– Prepare your Infrastructure with logging etc.– Start setup infrastructure from first development– Logging, Tracing isn’t easy

• User authentication/authorization– Choose your way to authenticate user– Maybe cloud Services are the fastest way, but customization– Using open source Frameworks, Cloud Services or enterprise

apps?– The key for success


Documents

Microservice security 12 · – Istio, nginx • DHARMA FoundationalConcepts k L a s FFE t. 21 MicroserviceApplications-Security, Logging, Tracing Network: TLS, SSL, openSSL • TLS