HMA-Testbed Phase 2 AR-2 Meeting 15-16 July 2009, Frascati Yves Coene, SPACEBEL Slide 1
Overview Agenda Planning Project Baseline Slide 2
Agenda TBD: insert agenda here. Slide 3
Agenda Slide 4
Agenda Slide 5
Schedule and Reviews T0+5M 26/11/2008 18/02/2009 15/07/2009 09/11/2009 Slide 6
Deliverables Slide 7
Deliverables Slide 8
Deliverables Slide 9
HMA-T Baseline Slide 10
HMA-T Baseline Proposed changes: OGC 06-131 version 0.2.5 Slide 11
Slide 12
Work Performed SPACEBEL WP 2710 – Various support activities GI-CAT Integration CIM Client Implementation (underway) WP 3500: Access and Identity Management Slide 13
GI-CAT Integration CNR-IMAA GI-CAT Test endpoint http://hma.spacebel.be/portal/order/PrepareOperation.do?serviceId=B2818580&operation=Search Slide 14
GI-CAT Integration GI-CAT: Temporal search Slide 15
GI-CAT Integration GetRecordByID Slide 16
GI-CAT Integration ESSI-Lab GI-CAT Issues: corrections applied to GI-CAT test instance not yet deployed on ESSI-Lab GI-CAT. Endpoint contains version number of GI-CAT http://hma.spacebel.be/portal/order/PrepareOperation.do?serviceId=B4818080&operation=Search Slide 17
GI-CAT Integration ESSI-Lab GI-CAT Slide 18
Service Registration Process Registration process for OGC 06-131 catalogue in SSE. Select OGC 06-131 specification Slide 19
URL of GI-CAT GetCapabilities operation used to discover "parentIdentifiers" Slide 20
Entering a second SOAP ocation creates a second edit pane for a tree structure with "load button" for Capabilities Slide 21
Collection tree for multi-search catalogue Subtree 1: Collections loaded from CNR-IMAA GI-CAT Subtree 2: Collections entered by hand Slide 22
WP3500: Identity and Access Mgt - Authentication Service Q.M Nguyen, T.H. Nguyen: SPACEBEL Slide 23
WP3400 – Identity & Access Mgt Slide 24
Testbed Deployment Overview OpenLDAP Version 2.1.30 Authentication Service With OpenSAML library Web Service Test Tool (Apache TCP Monitor) http://h-pcmng:8080/AxisService/services/AuthenticationService Ldap://hma:389 Authentication Service With Oracle SAML library SOAP LDAP http://h-pcmng:8089/AxisService/services/AuthenticationService Get SAML token Policy Enforcement Point (Intecs Toolbox) HMA Skeleton Web Service Test Page HMA Skeleton Catalogue Service Ordering Service Slide 25
Testbed Objectives The Authentication Service test being experimented by Spacebel takes into account the following objectives: Realize a stand-alone open-source web service implementing the authentication service defined in the OGC ICD 07-118r1 version 0.0.4, referred to as "HMA authentication service" Test inter-operability of SAML tokens generated by the OpenSAML library and the Oracle SAML library (EO-DAIL). Test integration of the HMA authentication service into the latest HMA Skeleton version. Test integration and compatibility with the Policy Enforcement Point being developed by Intecs in HMA-T. Slide 26
Current Status Achieved Results: Deploy the HMA authentication service on Axis2/Tomcat/JDK by reusing sources files from EO-DAIL project. Replace the Oracle SAML library of the Identity service by the OpenSAML (http://www.opensaml.org/) Replace the Oracle OID of the DAIL Identity service by the OpenLDAP version 2.1.30. Test the following OpenSAML library APIs: Authenticate: generating SAML token to contain required user profile data. DecryptAndCheckSignature: decrypt the SAML token to verify if the token is consumable. Slide 27
Current Status Achieved Results (Cont'd): Test inter-operability of SAML tokens generated by the OpenSAML library and the Oracle SAML library. This test will be realized in the following steps: Step1: Call “Authentication service with OpenSAML” to obtain a SAML token. Step2: Call "Authentication service with Oracle SAML” to decrypt the SAML token obtained in the Step1 Repeat the Step1 for the “Authentication service with Oracle SAML”. Slide 28
Current Status The HMA authentication service is deployed successfully using the following software elements: OpenSAML (http://www.opensaml.org/) Apache Axis 2: providing Web service interface (SOAP 1.1, 1.2 TBD) Apache Tomcat server 5.x: J2EE Servlet engine providing HTTP(s) transport service. OpenLDAP version 2.1.30: user identity directory service Linux Redhat ES3,4 or any OS supported by Apache Tomcat and OpenLDAP software listed above. A machine matching the hardware conditions required by the above software elements. Slide 29
OpenSAML vs Oracle SAML library Test User profile used during the Test, respecting IETF RFC2798 + Minimal profile defined in OGC 07-118 Slide 30
OpenSAML vs Oracle SAML library Test Number of Attributes (to be included in SAML) is configurable in a configuration file: Slide 31
OpenSAML vs Oracle SAML library Test Table 1 in OGC 07-118 version 0.0.4: Slide 32
Authentication Request/Response Generating SAML Token with OpenSAML library”: Slide 33
OpenSAML vs Oracle SAML library Test Decrypting the SAML token with OpenSAML library: Slide 34
OpenSAML vs Oracle SAML library Test Decrypting SAML token created with OpenSAML library by using Oracle SAML library: Slide 35
OpenSAML vs Oracle SAML library Test Generating SAML token using Oracle SAML library: Slide 36
OpenSAML vs Oracle SAML library Test Decrypting SAML created with Oracle SAML library by using the OpenSAML library: Slide 37
Planning The following tasks are in progress Upgrade the service to support version 0.0.4 of OGC 07-118. Integrate the HMA authentication service into the latest HMA Skeleton version. Release HMA Authentication service as stand alone software component separated from the current HMA Skeleton. The following tasks are planned Deploy the PEP tools provided by Intecs Integrate the Authentication Service with the PEP tool Slide 38
Planning - Deliverables Deliverables Planning: Deliverables Available by Stand-alone Authentication service software (SUM document, Software files) 16/07/2009 HMA Skeleton version 2.0 including the Authentication service without testing with the Intecs PEP tool 17/07/2009 HMA Skeleton version 2.0 including the Authentication service after testing with the Intecs PEP TBD Slide 39