tag:blogger.com,1999:blog-5066603456638955842.post1690013964879789871..comments2008-09-03T01:17:20.564+01:00Mark O'Neillnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-5066603456638955842.post-40618703051199879452008-09-03T01:17:00.000+01:002008-09-03T01:17:00.000+01:00Hi Fidel<BR/><BR/>That's a very good question. The advantages of doing XML Decryption on the XML Gateway are that:<BR/><BR/>(1) You are storing the private key in hardware (and not in a keystore on the file system as is the usual practice at a Web Service host), <BR/><BR/>(2) you get better performance than you would at the Web Service host, and:<BR/> <BR/>(3) You can configure the XML Decryption based on a centralized policy, independent of the Web Service host. <BR/><BR/>*BUT*, as you point out, you still have to think about the end-to-end security. Because you have to answer the question: "What about the connection from the XML Gateway to the Web Service host?".<BR/><BR/>You have a number of options for this. You can:<BR/><BR/>(a) Setup a mutually authenticated (and encrypted) SSL connection between the XML Gateway and the Web Service host. This has the advantage of being fast (hardware acceleration is only required for the session negotiation part of SSL, and once the session is established, it's fast). In this way, no attacker can connect directly to the Web Service, and the only client which can connect to the Web Service is the XML Gateway itself (which stores its private keys on hardware, so nobody can impersonate it). This is simple to configure on all Web Services platforms, and you have only one "user" (the XML Gateway) to manage. I have set this architecture up myself in customers where the Vordel XML Gateway sits in front of SAP Netweaver.<BR/><BR/>Or you can:<BR/><BR/>(b) Run a software XML Gateway right on the Web Service host itself [i.e. at the "Last Mile"]. <BR/><BR/>Or, similarly: <BR/><BR/>(c) deploy an agent embedded into the Web Service endpoint host itself, at the last mile (such as the agents provided by Vordel's partners CA and Oracle). <BR/><BR/><BR/>This is a great question. I think it deserves a blog post answer of its own! Look out for such a post on this blog soon....Mark O'Neillhttp://www.blogger.com/profile/03202416986720435011noreply@blogger.comtag:blogger.com,1999:blog-5066603456638955842.post-84205242895652910892008-09-02T07:57:00.000+01:002008-09-02T07:57:00.000+01:00Thanks for the article!!<BR/><BR/>I´ve been thinking about this kind of uses for a time and, for me, there is one unsolvable problem: If XML gateway does the unencryption, aren´t we broking the so important need about end-to-end security?<BR/><BR/>Thanks for your advice.Fidel Santiagohttp://www.blogger.com/profile/15915352461143352708noreply@blogger.com