質問 1:Service Consumer A sends a request message to Service A (1) after which Service A retrieves financial data from Database A (2). Service A then sends a request message with the retrieved data to Service B (3). Service B exchanges messages with Service C (4) and Service D (5), which perform a series of calculations on the data and return the results to Service A.
Service A uses these results to update Database A (7) and finally sends a response message to Service Consumer A (8). Component B has direct, independent access to Database A and is fully trusted by Database A.
Both Component B and Database A reside within Organization A.
Service Consumer A and Services A, B, C, and D are external to the organizational boundary of Organization A.
Component B is considered a mission critical program that requires guaranteed access to and fast response from Database A.
Service A was recently the victim of a denial of service attack, which resulted in Database A becoming unavailable for extended periods of time (which further compromised Component B). Additionally, Services B, C, and D have repeatedly been victims of malicious intermediary attacks, which have further destabilized the performance of Service A.
How can this architecture be improved to prevent these attacks?
A. Services B, C, and D randomly generate Session Key K, and use this key to encrypt request and response messages with symmetric encryption. Session Key K is further encrypted itself asymmetrically. When each service acts as a service consumer by invoking another service, it decrypts the encrypted Session Key K and the invoked service uses the key to decrypt the encrypted response. Database A is replicated so that only the replicated version of the database can be accessed by Service A and other external service consumers.
B. Service Consumer A generates a private/public key pair and sends this public key and identity information to Service A.
Service A generates its own private/public key pair and sends it back to Service Consumer A.
Service Consumer A uses the public key of Service A to encrypt a randomly generated session key and then sign the encrypted session key with the private key. The encrypted, signed session key is sent to Service A.
Now, this session key can be used for secure message-layer communication between Service Consumer A and Service A.
The Service Perimeter Guard pattern is applied to establish a perimeter service that encapsulates Database A in order to authenticate all external access requests.
C. The Direct Authentication pattern is applied so that when Service Consumer A submits security credentials, Service A will be able to evaluate the credentials in order to authenticate the request message. If the request message is permitted, Service A invokes the other services and accesses Database A.
Database A is replicated so that only the replicated version of the database can be accessed by Service A and other external service consumers.
D. A utility service is created to encapsulate Database A and to assume responsibility for authenticating all access to the database by Service A and any other service consumers.
Due to the mission critical requirements of Component B, the utility service further contains logic that strictly limits the amount of concurrent requests made to Database A from outside the organizational boundary. The Data Confidentiality and Data Origin Authentication patterns are applied to all message exchanged within the external service composition in order to establish message-layer security.
正解:D
質問 2:Service Consumer A sends a request to Service A (1). Service A replies with an acknowledgement message (2) and then processes the request and sends a request message to Service B (3). This message contains confidential financial data. Service B sends three different request messages together with its security credentials to Services C, D, and E (4, 5, 6). Upon successful authentication, Services C, D, and E store the data from the message in separate databases (7, 8, 9) Services B, C, D, and E belong to Service Inventory A, which further belongs to Organization B.
Service Consumer A and Service A belong to Organization A.
The service contracts of Services A and B both comply with the same XML schema.
However, each organization employs different security technologies for their service architectures. To protect the confidential financial data sent by Service A to Service B, each organization decides to independently apply the Data Confidentiality and the Data Origin Authentication patterns to establish message-layer security for external message exchanges. However, when an encrypted and digitally signed test message is sent by Service A to Service B, Service B was unable to decrypt the message.
Which of the following statements describes a solution that solves this problem?
A. The problem with the test message occurred because Service A used incorrect keys to protect the message sent to Service B.
Service A used its own public key to sign the message and then used Service B's public key to encrypt the message content. To correct the problem, Service A must use WS-SecureConversation to agree on a secret session key to be used to encrypt messages exchanged between Services A and B.
Because this session key is only known by Services A and B, encrypting the messages with this key also provides authentication of the origin of the data.
B. Although both of the organizations applied the Data Confidentiality and the Data Origin Authentication patterns, the security technologies used for the Service A and Service B architectures may be incompatible. Because there are several technologies and versions of technologies that can be used to apply these patterns, the organizations need to standardize implementation level details of the relevant security technologies.
C. Although both of the organizations successfully applied the Data Confidentiality and the Data Origin Authentication patterns, the order in which the patterns were applied is incorrect. The application of the Data Origin Authentication pattern must always follow the application of the Data Confidentiality pattern to ensure that the message confidentiality from a third party authenticates the origin of the message.
D. The problem with the test message occurred because Service A needed the private key of Service B to digitally sign the message. An attacker pretending to be Service B likely sent a fake private/public keys pair to Service A.
Using these fake keys to encrypt and digitally sign the message made the message incompatible for Service B.
Because the fake private key was also used to sign the hash, it explains the source of the problem.
正解:B
質問 3:Service A has two specific service consumers, Service Consumer A and Service Consumer B (1). Both service consumers are required to provide security credentials in order for Service A to perform authentication using an identity store (2). If a service consumer's request message is successfully authenticated, Service A processes the request by exchanging messages with Service B (3) and then Service C (4). With each of these message exchanges, Service A collects data necessary to perform a query against historical data stored in a proprietary legacy system. Service A's request to the legacy system must be authenticated (5). The legacy system only provides access control using a single account. If the request from Service A is permitted, it will be able to access all of the data stored in the legacy system. If the request is not permitted, none of the data stored in the legacy system can be accessed. Upon successfully retrieving the requested data (6), Service A generates a response message that is sent back to either Service Consumer A or B.
The legacy system is also used independently by Service D without requiring any authentication. Furthermore, the legacy system has no auditing feature and therefore cannot record when data access from Service A or Service D occurs. If the legacy system encounters an error when processing a request, it generates descriptive error codes.
This service composition architecture needs to be upgraded in order to fulfill the following new security requirements: 1. Service Consumers A and B have different permission levels, and therefore, response messages sent to a service consumer must only contain data for which the service consumer is authorized. 2. All data access requests made to the legacy system must be logged. 3. Services B and C must be provided with the identity of Service A's service consumer in order to provide Service A with the requested data. 4.
Response messages generated by Service A cannot contain confidential error information about the legacy system.
Which of the following statements provides solutions that satisfy these requirements?
A. Apply the Trusted Subsystem pattern by introducing a new utility service that encapsulates data access to the legacy system. After Service A authenticates a service consumer it creates a signed SAML assertion containing authentication and authorization information. The SAML assertions are used by Service A to convey the identity information of Service Consumer A or B to Services B and C.
The utility service filters response messages to the service consumer based on the information in the SAML assertions. The utility service keeps a log of the all data access requests made to the legacy system. The Exception Shielding pattern is further applied to the utility service in order to prevent the leakage of confidential error information.
B. Apply the Trusted Subsystem pattern by introducing a new utility service that encapsulates data access to the legacy system. The utility service evaluates request messages by authenticating the service consumer against the identity store and also verifying the digital signature of each request. If the request is permitted, Service A forwards the service consumer's credentials to Services B and C, and to the legacy system. The response messages from Services B and C are returned to Service A, while responses from the legacy system are processed by the utility service. Logic is added to the utility service so that it can log access requests made to the legacy system.
C. Apply the Service Perimeter Guard pattern to provide selective access privileges to Service Consumers A and B.
The resulting perimeter service shares the identity store with Service A, which it uses to authenticate each request message. If authentication is successful, the request message is forwarded to Service A.
Service A then also authenticates the service consumer and retrieves the service consumer's security profile from the identity store upon successful authentication. Each service consumer's security profile includes its authorized level of access. Service consumer authentication is subsequently performed using digital certificates. The Exception Shielding pattern is further applied to the perimeter service in order to prevent the leakage of confidential error information.
D. To correctly enforce access privileges, Services B and C must share the identity store with Service A and directly authenticate Service Consumer A or B.
Furthermore, Services B and C must each maintain two policies: one for Service Consumer A and one for Service Consumer B.
After receiving a request message from a Service A.
Services B and C must evaluate the validity of the request by using the identity store and the appropriate policy.
Service Consumers A and B are required to submit the necessary security credentials to the legacy system as part of the request message sent to Service A.
After verifying the credentials, the legacy system either performs the necessary processing or sends the response to Service A or denies access and sends an error message directly to Service Consumer A or B.
The Message Screening pattern is applied to Service A so that it can perform message screening logic in order to filter out unauthorized data coming from the legacy system.
正解:A
一年間の無料更新サービスを提供します
君が弊社のSOA S90.20をご購入になってから、我々の承諾する一年間の更新サービスが無料で得られています。弊社の専門家たちは毎日更新状態を検査していますから、この一年間、更新されたら、弊社は更新されたSOA S90.20をお客様のメールアドレスにお送りいたします。だから、お客様はいつもタイムリーに更新の通知を受けることができます。我々は購入した一年間でお客様がずっと最新版のSOA S90.20を持っていることを保証します。
弊社は失敗したら全額で返金することを承諾します
我々は弊社のS90.20問題集に自信を持っていますから、試験に失敗したら返金する承諾をします。我々のSOA S90.20を利用して君は試験に合格できると信じています。もし試験に失敗したら、我々は君の支払ったお金を君に全額で返して、君の試験の失敗する経済損失を減少します。
SOA S90.20 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|
| トピック 1 | - Security Lab for Services, Microservices & SOA: By covering this topic, SOA developers and security architects learn how to assess case study backgrounds and carry out a series of exercises to solve different inter-related problems.
|
| トピック 2 | - Advanced Security for Services, Microservices & SOA: Technical security sub-topics are covered here. The topic of the Arcitura Education S90.20 exam focuses on design, infrastructure, microservices, API gateways, and modern service technologies.
|
| トピック 3 | - Microservice Technology Concepts: This topic of the SOA Security Lab exam covers models and concepts vital for establishing secure and effective service implementation mediums.
|
参照:https://www.arcitura.com/soacp-gen-1/exams/exam-s90-20-soa-security-lab/
弊社は無料SOA S90.20サンプルを提供します
お客様は問題集を購入する時、問題集の質量を心配するかもしれませんが、我々はこのことを解決するために、お客様に無料S90.20サンプルを提供いたします。そうすると、お客様は購入する前にサンプルをダウンロードしてやってみることができます。君はこのS90.20問題集は自分に適するかどうか判断して購入を決めることができます。
S90.20試験ツール:あなたの訓練に便利をもたらすために、あなたは自分のペースによって複数のパソコンで設置できます。
弊社のSOA S90.20を利用すれば試験に合格できます
弊社のSOA S90.20は専門家たちが長年の経験を通して最新のシラバスに従って研究し出した勉強資料です。弊社はS90.20問題集の質問と答えが間違いないのを保証いたします。
この問題集は過去のデータから分析して作成されて、カバー率が高くて、受験者としてのあなたを助けて時間とお金を節約して試験に合格する通過率を高めます。我々の問題集は的中率が高くて、100%の合格率を保証します。我々の高質量のSOA S90.20を利用すれば、君は一回で試験に合格できます。
安全的な支払方式を利用しています
Credit Cardは今まで全世界の一番安全の支払方式です。少数の手続きの費用かかる必要がありますとはいえ、保障があります。お客様の利益を保障するために、弊社のS90.20問題集は全部Credit Cardで支払われることができます。
領収書について:社名入りの領収書が必要な場合、メールで社名に記入していただき送信してください。弊社はPDF版の領収書を提供いたします。
TopExamは君にS90.20の問題集を提供して、あなたの試験への復習にヘルプを提供して、君に難しい専門知識を楽に勉強させます。TopExamは君の試験への合格を期待しています。
PDF版 Demo
品質保証TopExamは我々の専門家たちの努力によって、過去の試験のデータが分析されて、数年以来の研究を通して開発されて、多年の研究への整理で、的中率が高くて99%の通過率を保証することができます。
一年間の無料アップデートTopExamは弊社の商品をご購入になったお客様に一年間の無料更新サービスを提供することができ、行き届いたアフターサービスを提供します。弊社は毎日更新の情況を検査していて、もし商品が更新されたら、お客様に最新版をお送りいたします。お客様はその一年でずっと最新版を持っているのを保証します。
全額返金弊社の商品に自信を持っているから、失敗したら全額で返金することを保証します。弊社の商品でお客様は試験に合格できると信じていますとはいえ、不幸で試験に失敗する場合には、弊社はお客様の支払ったお金を全額で返金するのを承諾します。(
ご購入の前の試用TopExamは無料なサンプルを提供します。弊社の商品に疑問を持っているなら、無料サンプルを体験することができます。このサンプルの利用を通して、お客様は弊社の商品に自信を持って、安心で試験を準備することができます。
