1. ESRIN, 15 December 2009 Slide 1 Web Service Security in HMA-T HMA-T Final Presentation 14 December 2009 S. Gianfranceschi, Intecs

2. ESRIN, 15 December 2009 Slide 2 Agenda  Introduction  OGC 07-118r1 0.0.5  ATS issues  ETS issues  Security library issues  Final remarks

3. ESRIN, 15 December 2009 Slide 3  Introduction  OGC 07-118r1 0.0.5  ATS issues  ETS issues  Security library issues  Final remarks Agenda

4. ESRIN, 15 December 2009 Slide 4 Introduction  Issue: the OGC 07-118 specification has undergone a major update  HMA-T OGC specification baseline: OGC 07-118 r1 version 0.0.3  Current OGC specification: OGC 07-118 r3 version 0.0.5  Changes involve several aspects ranging from the authentication interface definition to authorization issues ATS, ETS and security library changed accordingly

5. ESRIN, 15 December 2009 Slide 5  Introduction  OGC 07-118r3 0.0.5  ATS issues  ETS issues  Security library issues  Final remarks Agenda

6. ESRIN, 15 December 2009 Slide 6 OGC 07-118r3 Authentication  The authentication interface specification schema has changed: The custom “Assertion” tag defined in the “http://earth.esa.int/um/eop/saml” namespace has been removed;  The authentication scenarios have been reviewed Authentication through external IdP simplified  The structure of the SAML Token has been reviewed Attributes no longer normative The IdP public certificate no longer inserted in the signature  The authentication requests assume SOAP version 1.2 as the protocol binding

7. ESRIN, 15 December 2009 Slide 7 OGC 07-118r3 Authorization  The service requests are now aligned to WS-Security Web Services Security: SOAP Message Security 1.1: No custom “http://earth.esa.int/um/eop/saml:Assertion” tag in the ws-security tag of the SOAP Header “EncryptedData” directly inserted as child of the ws-security tag as foreseen by the specification  The service requests assume version 1.2 as the reference version of SOAP supported by the service endpoint SOAP version 1.1 still supported for legacy systems  Asynchronous Authorization still to be better defined

8. ESRIN, 15 December 2009 Slide 8  Introduction  OGC 07-118r1 0.0.5  ATS issues  ETS issues  Security library issues  Final remarks Agenda

9. ESRIN, 15 December 2009 Slide 9 OGC 07-118r3 ATS  ATS has changed according to the OGC specification update  ATS is still made of three modules M1 for testing the basic requirements of both the Identity and Service providers M2 for testing the authentication capabilities of the Identity Provider M3 for testing the authorization capabilities of the Service Provider  ATS first two modules heavily reviewed Number of test cases reduced Better specification of the test steps

10. ESRIN, 15 December 2009 Slide 10 OGC 07-118r3 ATS  ATS Module 1 changes: OGC version 0.0.3OGC version 0.0.5 SOAP version 1.1SOAP version 1.2 (version 1.1 support for service requests to legacy services) Mandatory GMES list of attributes in SAML token List of SAML token attributes not checked Encryption and digest method support checked on WSDL Direct check of the support for AES-128 encryption method SHA-1 digest method on the SAML Token returned by IdP Precondition: private key of the service known Check on the order of signature and encryption (SAML Token first signed and then encrypted) Removed since redundant

11. ESRIN, 15 December 2009 Slide 11 OGC 07-118r3 ATS  ATS Module 2 changes: OGC version 0.0.3OGC version 0.0.5 SOAP version 1.1SOAP version 1.2 Two test cases for authentication requests with no IdP provided in input 1.Test case for local IdP handling 2.Test case for external IdP handling A unique test case for authentication requests with no IdP provided (always Interpreted as directed to the local IdP)  ATS Module 3 changes: OGC version 0.0.3OGC version 0.0.5 SOAP version 1.1SOAP version 1.2 or version 1.1 for legacy systems

12. ESRIN, 15 December 2009 Slide 12  Introduction  OGC 07-118r1 0.0.5  ATS issues  ETS issues  Security library issues  Final remarks Agenda

13. ESRIN, 15 December 2009 Slide 13 OGC 07-118r3 ETS  ETS graphical interface: Improved general layout Added the choice between SOAP 1.1 and SOAP 1.2 for service requests Removed the entry for requesting the WSDL of the service (no longer needed)  ETS modules changed according to new ATS new (completely reviewed) security library  ETS structure reviewed simplified management of service requests with either SOAP 1.1 or SOAP 1.2

14. ESRIN, 15 December 2009 Slide 14  Introduction  OGC 07-118r1 0.0.5  ATS issues  ETS issues  Security library issues  Final remarks Agenda

15. ESRIN, 15 December 2009 Slide 15 OGC 07-118r3 security library  Security library reviewed Renamed in order to match the hma-t security project context Provided with a cleaner structure of packages and classes Updated to match the latest versions of the Apache libraries used  Signature part modified in order to match removal of public certificate from SAML Token signature The “checkSignature” method, if the public certificate key is not present in the signature, looks up a local “public_certicates.jks” keystore; The “public_certificates.jks” contains all of the public keys of the trusted Identity Providers If no public key in the keystore can be used to verify signature, the check fails.

16. ESRIN, 15 December 2009 Slide 16  Introduction  OGC 07-118r1 0.0.5  ATS issues  ETS issues  Security library issues  Final remarks Agenda

17. ESRIN, 15 December 2009 Slide 17 OGC 07-118r3 final remarks  OGC 07-118 still in course of specification, with foreseen updates and improvements ATS and ETS are consequently foreseen to undergo significant changes as the specification matures  Further inputs are expected from the GENESIS project Authentication and authorization scenarios implemented according to the OGC 07-118 specification Security issues involve services of different types and not only the EO context