ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.

Slides:



Advertisements
Similar presentations
Module 5: Configuring Access for Remote Clients and Networks.
Advertisements

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
NextGRID & OGSA Data Architectures: Example Scenarios Stephen Davey, NeSC, UK ISSGC06 Summer School, Ischia, Italy 12 th July 2006.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
Peoplesoft: Building and Consuming Web Services
Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.
Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris
1 © Talend 2014 Service Registry / WS-Policy Registry Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
Random Logic l Forum.NET l Web Services Enhancements for Microsoft.NET (WSE) Forum.NET ● October 4th, 2006.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Shibboleth: An Introduction
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Secure Systems Research Group - FAU A Trust Model for Web Services Ph.D Dissertation Progress Report Candidate: Nelly A. Delessy, Advisor: Dr E.B. Fernandez.
XML and Web Services (II/2546)
Infrastructure Service Approach to Handling Security in Service-Oriented Architecture Business Applications Doina Iepuras.
Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.
Gridshell Security Master Project Akylbek Zhumabayev Rochester Institute of Technology.
Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.
Web Services Security with WSE 2.0 Muhammad Saqib Ilyas
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
ESRIN, 15 December 2009 Slide 1 Web Service Security in HMA-T HMA-T Final Presentation 14 December 2009 S. Gianfranceschi, Intecs.
Page 1Overview of the HMA Project, 8 March 2010 Overview of the HMA Project OGC TC Opening Plenary Pier Giorgio Marchetti European Space Agency.
Slide’s title Subtitle (if there is one) Date and location Speakers:Name and Last Name.
ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 AR Meeting 15 July 2009 S. Gianfranceschi, Intecs.
HMA-T Progress Meeting 26 November 2008 Slide 1 IMAA-CNR activity report HMA-T Progress Meeting 26 November 2008 S. Nativi, E. Boldrini, F. Papeschi IMAA-CNR.
HMA-T Phase 2 KO, 2-3 July 2008 Slide 1 HMA-Testbed Phase 2 Negotiation and KO Meeting 2-3 July 2008, Frascati Yves Coene, SPACEBEL.
Spacebel - Hoeilaart, February 2009 SPS Mandatory I/F Development Slide 1 HMA SPS Mandatory I/F Development HMA-T Phase 2 Acceptance Review 1 18.
Eclipse Foundation, Inc. Eclipse Open Healthcare Framework v1.0 Interoperability Terminology HL7 v2 / v3 DICOM Archetypes Health Records Capture Storage.
HMA-T User Management (07-118) Abstract Test Suite Dr Andrew Woolf STFC Rutherford Appleton Lab.
Frascati, 2-3 July 2008 Slide 1 User Management compliance testing for G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Andrew Woolf, STFC Rutherford.
Frascati, 2-3 July 2008 SPS Mandatory I/F Development Slide 1 HMA SPS Mandatory I/F Development HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Ricardo.
Copyright © 2006, Oracle. All rights reserved Oracle Web Services Manager.
ORACLE SOA 11g ONLINE TRAINING
HMA-S Project User Management for EO Services OGC r9
Access Policy - Federation March 23, 2016
HMA Identity Management Status
CEN 202 “Space Standardisation”
HMA AWG Configuration Management Status 1 December 2008
HMA Identity Management Status
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
HMA SPS Mandatory I/F Development
HMA-Testbed Phase 2 AR-2 Meeting July 2009, Frascati
Tim Bornholtz Director of Technology Services
Web Service Security support in the SSE Toolbox
HMA Follow-on Kickoff Meeting
InfiNET Solutions 5/21/
Web Service Security support in the SSE Toolbox
Presentation transcript:

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs

ESRIN, 15 July 2009 Slide 2 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

ESRIN, 15 July 2009 Slide 3 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

ESRIN, 15 July 2009 Introduction  The Toolbox is a framework which facilitate the integration of web services in the HMA infrastructure.  The component that has been provided in this project is finalized of providing WS-Security at Ground Segment level, enabling existing GS to wrap and connect their own catalogues/services to the HMA infrastructure.  It implements OGC r  Both internal (deployed on the Toolbox) and external (proxy) services can be secured with this extension. Slide 4

ESRIN, 15 July 2009 HMA Infrastructure high-level diagram Slide 5

ESRIN, 15 July 2009 Slide 6 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

ESRIN, 15 July 2009 Toolbox Architecture Application layer Gateway Asynchronous Operation Synchronous Operation Operation Service Asynchronous Operation Synchronous Operation Operation SOAP layer WS-Policy WS-Security Layer WS-Policy XACML Policy Application Security Layer XACML Policy

ESRIN, 15 July 2009 Toolbox Security Architecture  Axis2 as basic SOAP engine  Axis2 module Rampart (Apache Software Foundation) for WS-Security layer: its behaviour has been extended to cover the HMAT security requirements (HMAT- SRD-1200-INT_1.1)  ToolboxSecurityWrapper: Axis2 service with link to the Policy Enforcement Point (PEP, Application Security Layer) and Toolbox Application Layer Axis2 RAMPART 4HMAT RAMPART 4HMAT WS-Policy ToolboxSecurity Wrapper (Axis2 service) Service Description ToolboxPEP XACML Policies Toolbox Application Layer SOAP

ESRIN, 15 July 2009 Toolbox Security Architecture: Main Activities Allocation Slide 9 Security Layer 1 2 Check encrypted SAML existence, decrypt it. WS- Security signed- encrypted SOAP request 3 Enforce enterprise policies Toolbox Serve request (Application layer) 45 Fault Soap response verify SAML token Decrypted SAML, SOAP request/ac tion 6 Get SAML assertion Identity Provider Client ToolboxPDP XACML Policies RAMPART 4HMAT RAMPART 4HMAT WS-Policy

ESRIN, 15 July 2009 Toolbox Security Architecture: ToolboxPDP  ToolboxPDP: invoked by the ToolboxSecurityWrapper when WS-Security check is successful; enforces XACML policies check  XACML policies are stored in dedicated XML files  Each policy owns information about the wrapped service and (optionally) SOAP action for which the policy applies Owns a list of policy rules; each rule can refer SAML token and/or SOAP (body) attributes values. ToolboxPEP XACML Policies

ESRIN, 15 July 2009 XACML example for EO EbRim profile (1/3) The target wrapped service for which this policy applies: wrs (Web Registry Service)

ESRIN, 15 July 2009 XACML example for EO EbRim profile (2/3) SOAP action for registry update

ESRIN, 15 July 2009 Slide 13 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

ESRIN, 15 July 2009 Proxy patterns supported Service Toolbox PEP http requestresponse Secured Client External Service http requestresponse Service Toolbox PEP http requestresponse Secured Client External Service http requestresponse PEP The token can be not encrypted or encrypted with the public key of the receiver

ESRIN, 15 July 2009 General configuration Slide 15 This keystore should contains all the public key of the trusted IDP. The Toolbox uses this keys to check the signature. It loops on all the keys and go ahead only if a key allow checking the signature

ESRIN, 15 July 2009 Service creation: Catalogue proxy (1) Slide 16 Select the service name and click on Next Select the type of service and click on Next Enter a Service Abstract and a Service Description and click on next

ESRIN, 15 July 2009 Service creation: Catalogue proxy (2) Slide 17 Select the interface and click on Next Select the type of Service and click on Next Enter the security parameters and click on next Upload the keystore storing the service private KEY to be used to decrypt the incoming tokens. In case the service is configured as security proxy and the outgoing messages have to be re-encrypted the keystore should also contain the public key of the connected end point. Enter Alias and Password: - Alias is the identifier of the key in the keystore - Password of the keystore Enter Alias and Password: - Alias is the identifier of the key in the keystore - Password of the keystore XACML file specifying the filtering rules to be applied to the incoming messages.

ESRIN, 15 July 2009 Service creation: Catalogue proxy (3) Slide 18 Configure the type of proxy you want to create and click on configure Select the operation you want to proxy Tick this if you want to forward the message with the security token unencrypted Tick this if you want to forward the message with the security token encrypted using the key of the receiver (to be included in the keystore of the service and identified via the Alias below) End point of the receiver Alias of the key to be used to encrypt the security token

ESRIN, 15 July 2009 Slide 19 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

ESRIN, 15 July 2009 Slide 20 Security demo Catalogue Service Toolbox PEP http request response Secured Client ERGO catalogue http request response Simulated IDP http request response VIDEO

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.