A Guide to Secure Web Services with GJXML Hey I downloade d an IEPD! Cool, how do you write a web service? I use.NET Moo! I use Java

WIJIS Justice Gateway The WIJIS Justice Gateway: The WIJIS Justice Gateway: A single, secure point of read-only access to disparate state and local justice information resources. Local Law Enforcement Records Management Systems Service-Oriented Architecture 1)Publish pointers from RMS to Gateway Cache 2) End Users Search Cache, Request Incident Report 3) Gateway requests Incident Report from RMS 4) RMS returns Incident Report 5) Gateway displays Incident Report

WIJIS WIJIS Developer Guide Service providers should be mapping data to GJXML, not bogged down in implementation details Provide example WSDL – Contract First! Server and client implementation in multiple languages compile schema into objects XSLT

WIJIS Incident Report IEPD – The Homer Simpson Case Study IEPD can be downloaded here: Doh, Now what? Let’s take a look, we see… Instance Examples Document and constraint schemas

WIJIS DOT NET 2.0 Instructions Generate C# Objects from WSDL with this command: wsdl.exe /server Create.NET Web Service and add references Example C# files and instructions here:

WIJIS Testing the Service – The Python Way Create a sample invocation file Run the sample python script Script can be run over http, https or https w/ client certificates Keep the test client simple! Examples available here:

WIJIS Java Instructions - Overview Generate Jar File from WSDL using Jaxb Download sample Record Retrieval Service Project for Eclipse WIJIS provides Ant tasks in project Full details at:

WIJIS Make your XML look Pretty - XSLT WIJIS Gateway invokes services, then: WIJIS Needed to transform results End users are not machines but humans Distributing XSLT helps service providers inspect Incident Reports before publishing Instance and transformed documents here

WIJIS WIJIS – Security Overview Incident Report request conducted over HTTPS with X509 Client Certificates Layer 3 IP Address filtering WIJIS runs our own certificate authority Authorization granted based on name in certificate

WIJIS WIJIS – 4 Security Tests Certificate signed by WIJIS Certificate Authority Certificate is not expired Name in Certificate matches name on wire Certificate has been revoked

WIJIS X509 Certificate Request Process Client creates a private key openssl genrsa -out MyPrivateKey.key 1024 Using private key, client creates a Certificate Signing Request (CSR) openssl req -new -nodes -key MyPrivateKey.key -out MyCSR.csr CSR sent to CA and signed certificate is returned Signed certificate can be joined with Private Key openssl pkcs12 -export -in MyCertificate.pem -inkey MyPrivateKey.key -out MyPFXFile.pfx

WIJIS X509 Certificate Tools OpenSSL useful for both.NET and Java users. Keytool useful only for Java users Microsoft CertUtil – Not really useful for anyone

WIJIS Example Server Configurations with SSL and Client Certificates IIS 6.0 Step by Step available at: Apache Tomcat 5.5 Step by Step available at:

WIJIS IEPD Distribution Suggestions In addition to Instance Examples, include Example WSDL Auto-generated C# files and Jar Files (JaxB) Sample Implementations and test client XSLT with sample HTML output

WIJIS Developer Guide – Return on Investment Lowers the barriers to secure web services using GJXML Re-use of code saves developer time for agencies/vendors and stretches grant $$ Vendors integrate with WIJIS once and can distribute to all customers Prior to Guide: 0 Services, now 7 vendors, over 73 agencies in 8 months

Links wijiscommons.org/gjxdm_example – wijis developer guide oja.wi.gov/wijis – WIJIS Web Page wijisgateway.org – WIJIS Blog Contact Info