Red Hat JBoss Enterprise Application Server (EAP) and the Payment Card Industry (PCI) Data Security Standard

Our guest blogger this week is Albert T. Wong ([email protected])

The Payment Card Industry (PCI) Data Security Standard (DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

The PCI DSS Version 3.1 standard (released in 2015) lists twelve (12) requirements which retailers, online merchants, credit data processors, and other payment related businesses must implement to help protect cardholders and their data. The requirements include technology controls (such as data encryption, virus protection, end-user access control and activity monitoring) as well as required procedures.

Most of the requirements focus on site security and encryption, but some of them apply to securing your applications. The JBoss Enterprise Application Server (EAP) team has produced this technical overview document to assist you in understanding the PCI requirements, determining which requirements apply to JBoss Enterprise Application Server (EAP), and how JBoss Enterprise Application Server (EAP) implements the applicable requirements.

The use of JBoss Enterprise Application Server (EAP) in your electronic commerce site, even if installed and configured correctly, does not guarantee that your site will be PCI compliant. The purpose of this document is to describe the relationship between JBoss Enterprise Application Server (EAP) and the PCI Data Security Standard requirements, not about an entire operating environment. PCI compliance can also impose requirements on other components of your site involved in the storage, processing, or transmission of cardholder data, including firewalls, routers, Web servers, Operating Systems, databases and the web application. PCI compliance remains solely the responsibility of the merchant.

For your reference, here is the outline of the standard:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.

Requirement 6: Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know.

Requirement 8: Identify and authenticate access to system components.

Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data.

Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel.

Where to find information about the Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Data Security Standard: https://www.pcisecuritystandards.org/index.shtml

JBoss Enterprise Application Server (EAP) and PCI compliance

The PCI Data Security Standard (DSS) addresses far more than the security of your JBoss Enterprise Application Server (EAP) application. It covers broad security requirements such as virus protection, and restricting physical access to cardholder data.

It is important to recognize the scope of the requirements, and which of them are related to JBoss Enterprise Application Server (EAP).

Control Objective	Relationship
1: Install and maintain a firewall configuration to protect cardholder data.	Related only to PCI DSS
2: Do not use vendor-supplied defaults for system passwords and other security parameters.	Focus area
3: Protect stored cardholder data.	Related only to PCI DSS
4: Encrypt transmission of cardholder data across open, public networks.	Focus area
5: Protect all systems against malware and regularly update anti-virus software or programs.	Related only to PCI DSS
6: Develop and maintain secure systems and applications.	Related only to PCI DSS
7: Restrict access to cardholder data by business need to know.	Focus area
8: Identify and authenticate access to system components.	Focus area
9: Restrict physical access to cardholder data.	Related only to PCI DSS
10: Track and monitor all access to network resources and cardholder data.	Focus area
11: Regularly test security systems and processes.	Related only to PCI DSS
12: Maintain a policy that addresses information security for all personnel.	Related only to PCI DSS

PCI Security Standards Council Notices: Legal Terms and Conditions

Acceptance of a given payment application by the PCI Security Standards Council, LLC (PCI SSC) only applies to the specific version of that payment application that was reviewed by a PA-QSA and subsequently accepted by PCI SSC (the "Accepted Version"). If any aspect of a payment application or version thereof is different from that which was reviewed by the PA-QSA and accepted by PCI SSC – even if the different payment application or version (the "Alternate Version") conforms to the basic product description of the Accepted Version – then the Alternate Version should not be considered accepted by PCI SSC, nor promoted as accepted by PCI SSC.

No vendor or other third party may refer to a payment application as "PCI Approved" or "PCI SSC Approved", and no vendor or other third party may otherwise state or imply that PCI SSC has, in whole or part, accepted or approved any aspect of a vendor or its services or payment applications, except to the extent and subject to the terms and restrictions expressly set forth in a written agreement with PCI SSC, or in a PA-DSS letter of acceptance provided by PCI SSC. All other references to PCI SSC's approval or acceptance of a payment application or version thereof are strictly and actively prohibited by PCI SSC.

When granted, PCI SSC acceptance is provided to ensure certain security and operational characteristics important to the achievement of PCI SSC's goals, but such acceptance does not under any circumstances include or imply any endorsement or warranty regarding the payment application vendor or the functionality, quality, or performance of the payment application or any other product or service. PCI SSC does not warrant any products or services provided by third parties. PCI SSC acceptance does not, under any circumstances, include or imply any product warranties from PCI SSC, including, without limitation, any implied warranties of merchantability, fitness for purpose or non-infringement, all of which are expressly disclaimed by PCI SSC. All rights and remedies regarding products and services that have received acceptance from PCI SSC, shall be provided by the party providing such products or services, and not by PCI SSC or any payment brands.

Addressing the PCI Data Security Standard within JBoss Enterprise Application Server (EAP)

The following topics deal with each of the detailed requirements that pertain to JBoss Enterprise Application Server (EAP). Some of the requirements are directly related to the JBoss Enterprise Application Server (EAP) software package. Other requirements are unrelated, or indirectly relate to the JBoss Enterprise Application Server (EAP) software package. For example, indirect requirements can affect your use of the operating system security features to secure JBoss Enterprise Application Server (EAP) files.

PCI Assessment Services for JBoss Enterprise Application Server (EAP)

There is much more to navigating the PCI standard and the certification procedure than simply installing JBoss Enterprise Application Server (EAP) and making the adjustments we have outlined in the preceding sections. There are significant portions of the standard that, although it applies to your site, does not apply to the software application. To assist you in completely addressing these parts of the standard, Red Hat consulting can assist your site in becoming PCI compliant.

Addressing the PCI Data Security Standard within JBoss Enterprise Application Server (EAP)

The following topics deal with each of the detailed requirements that pertain to JBoss Enterprise Application Server (EAP). Some of the requirements are directly related to the JBoss Enterprise Application Server (EAP) software package. Other requirements are unrelated, or indirectly relate to the JBoss Enterprise Application Server (EAP) software package. For example, indirect requirements can affect your use of the operating system security features to secure JBoss Enterprise Application Server (EAP) files.

For several of the requirements that are related only to PCI compliance (and not to JBoss Enterprise Application Server (EAP)) you are referred directly to the PCI DSS for details. Ensure that you keep up with the rapid pace of changing security requirements.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Many parts of requirement 1 such as your wireless network or router setup do not directly relate to JBoss Enterprise Application Server (EAP), but the requirements that relate to your site topology are extremely important. You must construct your JBoss Enterprise Application Server (EAP) site so that you never store cardholder data on internet-accessible systems. Additionally, JBoss Enterprise Application Server (EAP) sites should always use firewalls to separate themselves from the internet, internal networks, and any other system that is accessible to the internet. Ensure that you implement JBoss Enterprise Application Server (EAP) in a 3–tier configuration using the JBoss EAP Reference Architecture (http://www.redhat.com/en/resources/jboss-eap-6-clustering)

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Read the JBoss EAP Security Guide for details on changing the system password and system hardening.

Requirement 3: Protect stored cardholder data

Beyond the scope of JBoss EAP.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Disable SSLv2 and older security encryption on your web server.

Enable Federal Information Processing Standards publication 140-2 (FIPS 140-2) security standard.

Enable National Institute of Standards and Technology (NIST) Special Publications 800-131A (SP 800-131A) security standard.

Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs

Although antivirus software is outside the scope of JBoss Enterprise Application Server (EAP), protecting your servers and network from malicious software should always be a priority for a responsible network administrator.

Requirement 6: Develop and maintain secure systems and applications

Ensure that your store error pages do not display stack traces, either visibly, or in the page source.

As your business needs change, you or your business partners might customize your JBoss Enterprise Application Server (EAP) site. As you do so, you must ensure that the customizations do not compromise your site security. Ensure that your developers understand the requirement to develop secure systems by referring to the PA-DSS and PCI-DSS.

Please also monitor the top 10 list of security threats by the Open Web Appliction Security Project (OWASP)

Requirement 7: Restrict access to cardholder data by business need to know

Read the JBoss EAP Security Guide for details on access control lists.

Requirement 8: Identify and authenticate access to system components
Read the JBoss EAP Security Guide for details on default account policies.

Requirement 9: Restrict physical access to cardholder data

Beyond the scope of JBoss EAP.

Requirement 10: Track and monitor all access to network resources and cardholder data

Ensure that the correct level of logging is enabled. Please see JBoss EAP documentation for more details.

Requirement 11: Regularly test security systems and processes

Beyond the scope of JBoss EAP.

Requirement 12: Maintain a policy that addresses information security for all personnel

Beyond the scope of JBoss EAP.

Video for Craig Muzilla delivering the middleware keynote at 2015 Red Hat Summit

The shift to a digital economy puts developers in a unique position where they can recognize opportunities to create new value. Craig Muzilla, senior vice president of the Red Hat Applications Product Group, and his team demonstrated a complete OpenShift Enterprise by Red Hat environment, building and deploying a mobile app in real time. He also announced a Red Hat and Samsung strategic alliance.

Having the right middleware makes the things that should work, actually work. And it makes your IT team more productive.

Learn more:

• Accelerate: Applications are built, tested, and deployed faster.
• Integrate: Systems and data are connected more easily.
• Automate: Manual, time-consuming processes are automated.

Geo-spatial processing capabilities with Open Source Products

In this article we have a guest author, Rich Lucente.  Rich is a Red Hat Pre-sales engineer focusing on middleware and cloud computing initiatives for federal government customers.  He is going to discuss Geo-spatial processing capabilities with Open Source Products which include Fuse, BRMS, Data Virtualization and EAP.  You can find Rich on Linkedin at https://www.linkedin.com/profile/view?id=50013729 or email at [email protected].

Overview

Geo-spatial processing permeates the Department of Defense (DoD) with many solutions offered for tasks such as sensor and track fusion and correlation.  Geo-spatial tasks encompass a specialized knowledge domain, often requiring input from subject matter experts for an effective solution.  This article offers recommendations to modernize geo-spatial applications by leveraging current features and capabilities in popular open source products.  This does not go into sufficient detail to create a "fully baked" solution since that would require fully understanding the prerequisites, dependencies, and having access to key stakeholders and existing software capabilities.

A number of DoD programs have expressed an interest in modernization and Red Hat believes that several products in our middleware portfolio can be a key foundation to this effort.  Each product will be briefly described below with its applicability to this problem domain.

Red Hat JBoss Fuse 6.1

Red Hat JBoss Fuse 6.1 includes Apache Camel 2.12.0, which enables the definition of "routes" that specify chains, or pipelines, of activity on a message as it flows from a producer to a consumer.  These routes can include mediation, transformation, and various other processors.  Out of the box, Apache Camel includes a broad range of components that implement the protocols for endpoints.  Examples include common endpoints like filesystems, file transfer protocol (FTP), as well as more complicated interfaces like java database connectivity (JDBC) and web services (both REST and SOAP).

Traditional application and data flow when processing sensor measurements and tracks can be externalized into camel routes, enabling a more flexible processing solution.  The highly specialized processing for sensor and track fusion and correlation can still be embodied in specialized libraries that are accessed via custom message processors and/or custom camel components.  This approach provides more modularity by bubbling up the processing flow to a higher abstraction layer.

These routes can be combined with specialized geo-spatial persistence stores like PostGIS or MySQL with geo-spatial extensions.  Since camel components already exist for database interactions, this enables the results of the specialized library components to be persisted to geo-spatial data stores.  Camel routes can manage the flow of the data through a larger integrated system including subsystems and subcomponents that persist sensor measurement, track data, and correlation/fusion statistics into geo-spatial and other data sources.

Red Hat JBoss Business Rules Management System 6.1

Within complex specialized problem domains, many decision points exist on the type of data, the results of various statistical tests, and other heuristics to optimize the processing of the data.  These decisions are often buried in the implementation of the various libraries and sometimes are duplicated across software components, complicating any modernization and maintenance efforts.

Red Hat Business Rules Management System (BRMS) 6.1 specifically addresses the need to externalize various logical decisions into a versioned rules knowledgebase. Facts can be asserted into the knowledge session and then rules can be applied to prune the solution search space and create inferences on the data.  This externalization of key decision logic enables more flexibility and modularity in implementations.

Fusion and correlation algorithms for sensor measurements and tracks are replete with heuristics and decision logic to optimize the processing of this data.  Rather than bury decisions within the library implementations, BRMS can enable externalization of those decision points, providing for a greater level of flexibility in how tracks and sensor measurements are processed.

Red Hat JBoss Data Virtualization 6.1

Red Hat JBoss Data Virtualization (DV) 6.1 enables federation of multiple physical data sources into a single virtual database which may be exposed to an application as one more logical views.  Client applications can access each view as a web service (REST or SOAP), JDBC/ODBC connection, or OData (using Atom XML or JSON).  The DV tool offers an optimized query engine and a broad range of connectors to efficiently execute queries to populate the views.

Additionally, DV enables native query pass-throughs [1] to the underlying physical data source for those data sources that provide specialized query capabilities.  For example, databases with geo-spatial extensions can execute specialized queries like whether one object contains another.  By using query pass-throughs the DV query engine will not attempt further processing of the query but instead pass it as-is to the underlying geo-spatial datasource.  This pass-through query processing can be combined with standard SQL queries from other data sources so that DV can provide a highly customizable, flexible data access layer for client applications.  This data access layer can then be accessed as JDBC/ODBC, REST/SOAP web services and OData sources.

The Oracle and MongoDB translators within DV 6.1 also support geo-spatial operators.  Specifically,  the MongoDB translator [2] supports geo-spatial query operators in the "WHERE"  clause, when the data is stored in the GeoJSon format in the MongoDB  Document. These functions are supported:

• CREATE FOREIGN FUNCTION geoIntersects (columnRef string,  type string, coordinates double[][]) RETURNS boolean;

• CREATE FOREIGN FUNCTION geoWithin (ccolumnRef string,  type string, coordinates double[][]) RETURNS boolean;

• CREATE FOREIGN FUNCTION near (ccolumnRef string,  coordinates double[], maxdistance integer) RETURNS boolean;

• CREATE FOREIGN FUNCTION nearSphere (ccolumnRef string, coordinates double[], maxdistance integer) RETURNS boolean;

• CREATE FOREIGN FUNCTION geoPolygonIntersects (ref string, north double, east double, west double, south double) RETURNS boolean;

• CREATE FOREIGN FUNCTION geoPolygonWithin (ref string, north double, east double, west double, south double) RETURNS boolean;

The Oracle translator [3] supports the following geo-spatial functions:

• Relate = sdo_relate                                                                 

• CREATE FOREIGN FUNCTION sdo_relate (arg1 string,  arg2 string,  arg3 string) RETURNS string;

• CREATE FOREIGN FUNCTION sdo_relate (arg1 Object,  arg2 Object,  arg3 string) RETURNS string;

• CREATE FOREIGN FUNCTION sdo_relate (arg1 string,  arg2 Object,  arg3 string) RETURNS string;

• CREATE FOREIGN FUNCTION sdo_relate (arg1 Object,  arg2 string,  arg3 string) RETURNS string;

• Nearest_Neighbor = dso_nn                                                                 

• CREATE FOREIGN FUNCTION sdo_nn (arg1 string,  arg2 Object,  arg3 string,  arg4 integer) RETURNS string;

• CREATE FOREIGN FUNCTION sdo_nn (arg1 Object,  arg2 Object,  arg3 string,  arg4 integer) RETURNS string;

• CREATE FOREIGN FUNCTION sdo_nn (arg1 Object,  arg2 string,  arg3 string,  arg4 integer) RETURNS string;

• Within_Distance = sdo_within_distance                                                                 

• CREATE FOREIGN FUNCTION sdo_within_distance (arg1 Object,  arg2 Object,  arg3 string) RETURNS string;

• CREATE FOREIGN FUNCTION sdo_within_distance (arg1 string,  arg2 Object,  arg3 string) RETURNS string;

• CREATE FOREIGN FUNCTION sdo_within_distance (arg1 Object,  arg2 string,  arg3 string) RETURNS string;

• Nearest_Neighbour_Distance = sdo_nn_distance                                                                 

• CREATE FOREIGN FUNCTION sdo_nn_distance (arg integer) RETURNS integer;

• Filter = sdo_filter                                                                 

• CREATE FOREIGN FUNCTION sdo_filter (arg1 Object,  arg2 string,  arg3 string) RETURNS string;

• CREATE FOREIGN FUNCTION sdo_filter (arg1 Object,  arg2 Object,  arg3 string) RETURNS string;

• CREATE FOREIGN FUNCTION sdo_filter (arg1 string,  arg2 object,  arg3 string) RETURNS string;

Hibernate Search in Enterprise Application Platform (EAP)

Besides the above, a canvas of activities across Red Hat show that the handling of geo-spatial information is also incorporated into other products.  Hibernate Search, which is part of Red Hat JBoss Enterprise Application Platform (EAP) and the Red Hat JBoss Web Framework Kit (WFK), implements geo-spatial query capabilities atop Apache Lucene.  The implementation enables either a classical range query on longitude/latitude or a hash/quad-tree indexed search when the data set is large.

The Geological Survey of the Netherlands (TNO) is using JBoss EAP 6 in conjunction with Hibernate Spatial to process geo-spatial data.  More information on this is available at https://www.tno.nl/en/focus-area/energy/geological-survey-of-the-netherlands/. 

Other programs within the Department of Defense are actively applying Red Hat technology as well.  Programs often leverage EAP as well as Apache Tomcat and Apache httpd within Enterprise Web Server to connect to backends in MySQL and MongoDB for basic track fusion and geo-spatial processing/querying and displaying  tracks on a map.

Conclusion

Geo-spatial processing is a key component of many DoD systems, at both the strategic and tactical level.  This article presented some alternatives to traditional implementations to more flexibly implement solutions that leverage features and capabilities in modern software frameworks.

[1] https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Virtualization/6.1/html/Development_Guide_Volume_3_Reference_Material/sect-JDBC_Translator.html#JDBC_Translator_Native_Queries

[2] https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Virtualization/6.1/html/Development_Guide_Volume_3_Reference_Material/sect-MongoDB_Translator.html#MongoDB_Translator_Metadata_Extensions

[3] https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Data_Virtualization/6.1/html/Development_Guide_Volume_3_Reference_Material/sect-JDBC_Translator.html#JDBC_Translator_Translator_Types (then scroll to oracle)

To find out more examples and articles on each of the products you can also check out the resources from the Technical Marketing Managers:

EAP/JDG - Thomas Qvarnström - @tqvarnst

DV/Feedhenry - Kenny Peeples - @ossmentor

BRMS/BPMS - Eric D. Schabell - @ericschabell

Fuse/A-MQ - Christina Lin - @christina_wm

Data Virtualization Primer - Introduction

This week we are starting the Data Virtualization Primer which I am splitting into 3 series - The Basics, The Connectors and the Solutions.  My goal is to publish one or two articles a week, each one covering a topic that can be reviewed in a short amount of time.  Demos and examples will be included and some of the topics will be broken into multiple parts to help easily digest them.  The planned outline is below as well as our first topic which is Data Virtualization Introduction.

Series 1 - The Basics

1. Introduction
2. The Concepts (SOAs, Data Services, Connectors, Models, VDBs)
3. Architecture
4. On Premise Server Installation
5. JBDS and Integration Stack Installation
6. WebUI Installation
7. Teiid Designer - Using simple CSV/XML Datasources (Teiid Project, Perspective, Federation, VDB)
8. JBoss Management Console
9. The WebUI
10. The Dashboard Builder
11. OData with VDB
12. JDBC Client
13. ODBC Client
14. DV on Openshift
15. DV on Containers (Docker)

Series 2 - The Connectors

This series will cover each connector including example demos of each.

Series 3 - The solutions

1. Big Data Example
2. IoT Example
3. Cloud Example
4. Mobile Example
5. JBoss Multi-product examples (Fuse/BPMS/BRMS/Feedhenry/DG)

Fuse Stickers across the Globe

We have new Fuse Stickers to share across the globe!   Keep watching for the stickers shown below which include JBoss Fuse and JBoss Fuse for xPaaS.   You can find them at conferences and local workshops through the JBoss Technology Evangelists, Product Managers and Product Marketing Managers.  Follow us through twitter as well as on JBoss Demo Central.

Christina Lin, JTE	Follow @christina_wm
Kenny Peeples, JTE	Follow @ossmentor
Eric Schabell, JTE	Follow @ericschabell
Thomas Qvarnström, JTE	Follow @tqvarnst
Sameer Parulkar, PMM	Follow @sparulkar

Data Virtualization Web UI now released for Developer Preview

We are very happy to announce the Data Virtualization 6.1.0 WebUI for Developer Preview. An easy and simple way to create artifacts through a web interface and help be productive with DV in minutes. Once signing onto the WebUI you can create your Data Services and manage your Data Library. Watch for more Articles, Videos and Blogs for using the WebUI. The WebUI is a compliment to the Teiid Designer in the integration stack for Eclipse.

The steps to install the Data Virtualization WebUI are simple and they are listed below. 

Step 1: Download Data Virtualization 6.1.0 GA installer and the WebUI war from jboss.org DV downloads

Step 2: After installing DV 6.1, give the teiidUser the odata and rest roles. The user must have these roles to access the rest and odata endpoints. The roles file is located at:

SERVER_DIR/standalone/configuration/application-roles.properties 

The teiid user will look like this: teiidUser=user,odata,rest 

Step 3: Copy the war to: 

SERVER_DIR/standalone/deployments 

Step 4: Open a browser and access the login page with username admin and password admin at

http://localhost:8080/dv-ui

If you are interested in contributing you can find information at https://github.com/Teiid-Designer/teiid-webui

Picketlink and Keycloak projects are merging!

Boleslaw Dawidowicz has written a blog with detail regarding Picketlink and Keycloak projects merging.  Check out his blog here and some excerpts are below.   A Knowledge Base article has also been published which is here.

Together with new PicketLink 2.7.0.Final release, we would like to announce that PicketLink and Keycloak projects will be merging their efforts. Code base of both will get unified and new features will be developed in a single place.

As part of this merge all key features of PicketLink will get included into Keycloak. Combining strengths of both projects and providing their communities a single polished and unified security solution. Joining both efforts should enable faster progress on new features which will be beneficial for all users and developers leveraging those solutions.

What you can expect happening during next few months?

• Specific parts of PicketLink codebase being forked and merged into Keycloak. We are starting with PicketLink Federation / SAML. 
• Inclusion or implementation of particular features will get discussed in public on theKeycloak project mailing list. We are looking forward for your participation there as we would like to hear your feedback on changes that we are doing. 
• Web sites for both projects will get slightly changed to reflect new situation.
• Many new cool features coming shortly!

Pedro Igor Silva - PicketLink Project Leader
Bill Burke and Stian Thorgersen - Keycloak Project Leaders
Bolesław Dawidowicz - Security Platform Architect at Red Hat.

The new JBoss Demo Central Github Organization and Site

I am pleased to announce, along with the other JBoss Technology Evangelist -Eric Schabell, Thomas Qvarnstrom and Christina Lin, our Central Organization for JBoss Demo Repositories is available.  The team has worked hard to pull together existing content and start new content as well.

There are two ways to access jbossdemocentral -
1) The website with an easy to navigate front end to access the source code, videos, articles, etc for each demo - http://jbossdemocentral.comhttp://jbossdemocentral.com/#/
2) The github organization with all the source code repositories for the demos -http://github.com/jbossdemocentralhttps://github.com/jbossdemocentral/

Give the demos a try and follow us on twitter and our blogs!

One Way and Two Way SSL and TLS

Overview

---

Top to Bottom - Internet Explorer, Firefox, Safari, Chrome, and Opera 

Before going into Endpoint Security with Camel with EAP and Fuse,  I wanted to provide a quick primer on Secure Sockets Layer (SSL).  We will have a quick overview and then discuss 1-way and 2-way SSL.  SSL should be the first step in protecting sensitive data across the network pipe.  It will minimize the man-in-the-middle attacks and eavesdropping.  SSL is the standard security technology for establishing an encrypted link between a web server and a browser.  This makes sure the data passed between the server and browser or server and server remains private and not modified by providing encryption and trust.

Encryption uses a private key/public key pair which ensures that the data can be encrypted by one key but can only be decrypted by the other key pair.   This is referred to as the Public-Key Infrastructure (PKI) Scheme.  The public key is shared while the private key is kept locally.  This is described more in 1 and 2 way SSL below concerning the files and which are stored where.  This can also be extending to server to server communication, in addition to browser to server communication.

Trust is achieved through the use of certificate trust.   Certificate trust can be thought of as a chain that starts with the Certificate Authority (or CA).  A CA is a company or entity that issues SSL Certificates.   Web browsers and  systems come loaded with a list of recognized issuers and that list is kept up to date by automatic updates.   Certificates can also be self-signed for testing.

Benefits of SSL through the CIA Triad

---

I blogged about the CIA Triad Model which is located here,  The SANS institue has an excellent beginners guide to SSL and TLS which also describes the value of SSL/TLS in relation to the CIA Triad.

The C-I-A (Confidentiality, Integrity, Availability) Model for information security is addressed in several ways by the use of a secure communications protocol. Confidentiality of the information being passed is the main purpose of the SSL and TLS protocols. Integrity is addressed through the use of message authentication in each message from the first handshake. Additionally, non-repudiation is accounted for through certificate passing in addition to the integrity check from the message authentication. Though more responsibility for the Availability portion of the model (in this example) is placed on the server, Availability is slightly addressed since secure communications prevent malicious users from having direct access to the system. 

Difference between SSL and TLS

---

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are both cryptographic protocols designed to provide communications security over a computer network. The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1.  In this document, the US Government describes TLS Guidelines for Implementation and indicates that SSL v3 not be used for sensitive government communications or for HIPAA-compliant communications.  This chart does a good job with SSL/TLS support in browsers and the affected vulnerabilities (BEAST, POODLE, CRIME, RC4). 

No SSL

---

Of course with no SSL data across the network is not encrypted.   Using no SSL is usually done in a development or test environment.   

2-way SSL (Mutual or Client Authentication)

---

In two-way SSL authentication, the SSL client application verifies the identity of the SSL server application, and then the SSL server application verifies the identity of the SSL-client application.

Two-way SSL authentication is also referred to as client or mutual authentication because the application acting as an SSL client presents its certificate to the SSL server after the SSL server authenticates itself to the SSL client.

Establishing the encrypted channel using certificate-based 2-Way SSL involves:

1. A client requests access to a protected resource.
2. The server presents its certificate to the client.
3. The client verifies the server’s certificate.
4. If successful, the client sends its certificate to the server.
5. The server verifies the client’s credentials.
6. If successful, the server grants access to the protected resource requested by the client.

1-Way SSL

---

In such mode, the SSL-client application is not verified by the SSL-server application. Only the server is verified.

References:

---

http://www.sans.org/reading-room/whitepapers/protocols/ssl-tls-beginners-guide-1029

http://blog.vanillaforums.com/help/using-ssl-https-vanilla-forum/

http://en.wikipedia.org/wiki/Public_key_certificate
https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html
http://en.wikipedia.org/wiki/Transport_Layer_Security
https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html
http://mihalos.gr/2013/04/03/ssltls-protocol-overview-part1/
http://www.codeproject.com/Articles/326574/An-Introduction-to-Mutual-SSL-Authentication

A-MQ vs Fuse vs Fuse Service Works

I saw a blog from Zack at Vizuri comparing JBoss Fuse vs Fuse Service Works.  I thought it would be good to give a brief introduction to the integration products, A-MQ, Fuse and Fuse Service Works, and then share an excerpt from his blog on Fuse vs Fuse Service Works.  I also included some links around Camel on EAP.

Products:

JBoss A-MQ

• Summary: JBoss A-MQ is a high performance, flexible, lightweight messaging platform.
• Components: ActiveMQ on Karaf
• High performance messaging-A reliable messaging platform that supports standard messaging paradigms for a real-time enterprise.
• Cross-language and multi-protocol support-Allows native connectivity from applications written in Java, C, C++. Multiple transport protocols for exchanging data between applications, services and devices. Supports JMS 1.1, TCP, SSL, STOMP, NMS, MQTT, AMQP 1.0.
• Cloud ready-Deploy on premise, in the cloud or in a hybrid configuration.
• Download: http://www.jboss.org/products/amq/download/

JBoss Fuse

• Summary: JBoss Fuse is a lightweight integration platform.
• Components: ActiveMQ, Camel, CXF, Fuse Fabric on Karaf
• Pattern based integration framework-Leverage Apache Camel to provide a full-featured, easy-to-use and intuitive framework for quicker integration solutions.
• Dynamic configuration and management-Change configuration while container is running. Easily deploy or update services across nodes while the ESB is running. 
• Multiple connectivity options-Connect to external applications with connectors for JDBC, FTP/SFTP, HTTP/HTTPS, file, SalesForce.com, SAP, Twitter, and more.
• Full support of AMQP 1.0 - provides wire-level compatibility across connections
• Vast library of connectors - over 150+ out-of-the-box-connectors via Apache Camel
• Managed integration routes - start, stop, measure and trace Camel routes on-premise or in the Cloud
• Improved high availability (HA) - embedded message store for shared-nothing HA
• Download: http://www.jboss.org/products/fuse/download/

Apache Camel	Compose your applications from Enterprise Integration Patterns (EIPs) based on the popular Hohpe and Woolf EIPs.
Apache CXF	Integrate applications with SOAP, XML/HTTP and RESTful HTTP.
Apache ActiveMQ	Provides core messaging within the ESB and for integrating with other applications.
Apache Karaf	Offers a lightweight OSGI-based runtime container for managing the components that compose your applications.
Fabric8	Makes it simple to manage large and distributed, JBoss Fuse deployments from a central location.

JBoss Fuse Service Works

• Summary: JBoss Fuse Service Works is a service design, development and integration platform
• Components: Fuse component plus Switchyard, Overlord
• Core ESB based on JBoss Fuse:
• Apache Camel – enterprise integration pattern framework
• Apache CXF – webServices, REST
• Apache ActiveMQ – robust, high performance messaging
• Additional value provided by JBoss Fuse Service Works:
• Lightweight structured service development Framework
• Service Governance
• Business Transaction Monitoring

Camel on EAP

• Is Camel application from JBoss Fuse deployable and supported in EAP or FSW? https://access.redhat.com/solutions/877573
• How should a Bean service invoke a Camel route service in FSW ?-https://access.redhat.com/solutions/693973
• How can I realise service versioning for SwitchYard services in FSW 6?-https://access.redhat.com/solutions/1137213
• How to package SwitchYard applications as a WAR? https://access.redhat.com/solutions/1154883
• How to install Camel components which are not shipped with FSW-https://access.redhat.com/solutions/653823
• How can I create an HTTP proxy using SwitchYard composite in FSW ?-https://access.redhat.com/solutions/642153
• Camel on EAP http://www.christianposta.com/blog/?p=359

Fuse vs Fuse Service Works:

JBoss Fuse Service Works may be a better fit if your organization ... 

• ​is currently heavily invested in Java™ EE 6 development. The Fuse Service Works service model is similar to that of JEE development. 
• would like to take advantage of Java™ EE 6 components from your services. Since FSW is embedded in a JEE container, you have full access to JEE components such as persistence and the injection framework. 
• uses JBoss Enterprise Application Server (EAP) for other components in your infrastructure. Administration tasks such as deployment, clustering, high availability are similar if not the same as that utilized for FSW. 
• is looking for a robust design-time and runtime service governance platform. 

JBoss Fuse may be a better fit if your organization ...

• ​does not use Java or Java Enterprise Edition 
• does not utilize the JBoss Enterprise Application Server Platform (EAP). 
• uses OSGi in the development of other components in your infrastructure 
• uses the Apache Karaf container for other components in your infrastructure. 
• Design-time or runtime service governance is not a major factor in your choice of an integration platform. 

See more at: http://www.vizuri.com/insights/blog/2014/09/jboss-fuse-vs-fuse-service-works-which-right-you