Presentation is loading. Please wait.

Presentation is loading. Please wait.

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 AR Meeting 15 July 2009 S. Gianfranceschi, Intecs.

Published byMarian Hardy Modified over 8 years ago

Similar presentations

Presentation on theme: "ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 AR Meeting 15 July 2009 S. Gianfranceschi, Intecs."— Presentation transcript:

1 ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 AR Meeting 15 July 2009 S. Gianfranceschi, Intecs

2 ESRIN, 15 July 2009 Slide 2 Agenda  Introduction  Work performed  Toolbox Security Architectural Overview  ATS and ATP Overview  Tests execution  OGC 07-118r1 0.0.4 impact  Open Actions review  Open discussion

3 ESRIN, 15 July 2009 Slide 3 Agenda  Introduction  Work performed  Toolbox Security Architectural Overview  ATS and ATP Overview  Tests execution  OGC 07-118r1 0.0.4 impact  Open Actions review  Open discussion

4 ESRIN, 15 July 2009 Introduction  The Toolbox is a framework which facilitate the integration of web services in the HMA infrastructure.  The component that has been provided in this project is finalized of providing WS-Security at Ground Segment level, enabling existing GS to wrap and connect their own catalogues/services to the HMA infrastructure.  Both internal (deployed on the Toolbox) and external (gateway) services can be secured with this extension. Slide 4

5 ESRIN, 15 July 2009 HMA Infrastructure high-level diagram Slide 5

6 ESRIN, 15 July 2009 Slide 6 Agenda  Introduction  Work performed  Toolbox Security Architectural Overview  ATS and ATP Overview  Tests execution  OGC 07-118r1 0.0.4 impact  Open Actions review  Open discussion

7 ESRIN, 15 July 2009 Work Performed  Update of the Requirement Document to take into account the OGC 07-118r1 0.0.3.  Preparation of the Architectural Design Document.  Finalization of the integration of the security Layer in the Toolbox.  Development of sample XACML policy files for EbRim EO profile interfaces (for test purposes).  ATS and ATP finalization.  ETS development Development of a security library for the message encription/decription CTL development IDP simulation  Limited end point availability  Minimum GMES profile not supported TEAM Engine bug fixing  Test execution and reporting Slide 7

8 ESRIN, 15 July 2009 CDR Deliverables (1)  Requirement document: final version available with changes according to latest OGC 07-118r1 0.0.3 updating. HMAT-SRD-1200 Toolbox Software Requirement Document (security layer), Issue 1.2 07/07/09 Slide 8

9 ESRIN, 15 July 2009 CDR Deliverables (2)  Updated SSE Toolbox Architectural Design Document HMAT-ADD-1300, Toolbox Software Security Layer Architecture Design Document, v.1.1, 07/07/2009  Updated SSE Toolbox software package (with Web Service Security module features) We propose to have a unique delivery in September togeter with the ERGO software to avoid confusion. Demo installation (PEP protecting a catalogue installation) to be made available in an ESA server.  Updated SSE Toolbox User Manual (with Web Service Security module information) Included in the Software delivery in HTML/Javascript format. Slide 9

10 ESRIN, 15 July 2009 CDR Deliverables (3)  SSE Toolbox Test Plan (updated for the Web Service Security module) Updated according to the ECSS standards: Software Validation Testing Specification HMAT-SVTS-1400 Software Validation Testing Specification v1.0 07/07/2009  SSE Toolbox Test Data package Available in the OGC HMA SVN  SSE Toolbox Acceptance Test Report Will be published on the wiki by the end of the week (Tests to be run during the meeting)  SSE Toolbox conformance Test Plan (for the Web Service Security module) Abstract Test Suite for OGC 07-118r1 [OGC format] 07/07/2009  SSE Toolbox conformance Test Data package Available in the OGC HMA SVN  SSE Toolbox conformance Test Report Will be published on the wiki by the end of the week (Tests to be run during the meeting) Slide 10

11 ESRIN, 15 July 2009 Deliverable for FP  SSE Toolbox updated with the Web Service Security module Installation Plan Do we have to provide this document? Which is the target for the installation?  SSE Toolbox updated with the Web Service Security module integrated in the HMA prototype Which is the environment to be used for the integration?  Proposal ESA to provide an host for the installation Intecs to install a catalogue (draft from ERGO) with a PEP protecting it. Slide 11

12 ESRIN, 15 July 2009 Slide 12 Agenda  Introduction  Work performed  Toolbox Security Architectural Overview  ATS and ATP Overview  Tests execution  OGC 07-118r1 0.0.4 impact  Open Actions review  Open discussion

13 ESRIN, 15 July 2009 Toolbox Architecture Application layer Gateway Asynchronous Operation Synchronous Operation Operation Service Asynchronous Operation Synchronous Operation Operation SOAP layer WS-Policy WS-Security Layer WS-Policy XACML Policy Application Security Layer XACML Policy

14 ESRIN, 15 July 2009 Toolbox Security Architecture  Axis2 as basic SOAP engine  Axis2 module Rampart (Apache Software Foundation) for WS-Security layer: its behaviour has been extended to cover the HMAT security requirements (HMAT- SRD-1200-INT_1.1)  ToolboxSecurityWrapper: Axis2 service with link to the Policy Enforcement Point (PEP, Application Security Layer) and Toolbox Application Layer Axis2 RAMPART 4HMAT RAMPART 4HMAT WS-Policy ToolboxSecurity Wrapper (Axis2 service) Service Description ToolboxPEP XACML Policies Toolbox Application Layer SOAP

15 ESRIN, 15 July 2009 Toolbox Security Architecture: Main Activities Allocation Slide 15 Security Layer 1 2 Check encrypted SAML existence, decrypt it. WS- Security signed- encrypted SOAP request 3 Enforce enterprise policies Toolbox Serve request (Application layer) 45 Fault Soap response verify SAML token Decrypted SAML, SOAP request/ac tion 6 Get SAML assertion Identity Provider Client ToolboxPEP XACML Policies RAMPART 4HMAT RAMPART 4HMAT WS-Policy

16 ESRIN, 15 July 2009 Toolbox Security Architecture: a more formal model

17 ESRIN, 15 July 2009 Toolbox Security Wrapper: Service Description  Responsabilities: deploys ToolboxSecurityWrapper into Axis2, holds the list of the wrapped services to be secured, for each wrapped service, holds the WS-Security policy,  Its artifact is the service.xml file of the Axis2 ToolboxSecurity deployment located at: Service Configuration Axis2 WS-Policy ToolboxSecurity Wrapper (Axis2 service) Service Description /webapps/Axis2/Web- INF/services/ToolboxSecurityWrapper/META-INF/services.xml RAMPART 4HMAT RAMPART 4HMAT

18 ESRIN, 15 July 2009 Service Description: an Example Wrapped Service WS- Security policy Wrapper service

19 ESRIN, 15 July 2009 Toolbox Security Architecture: ToolboxPEP  ToolboxPEP: invoked by the ToolboxSecurityWrapper when WS-Security check is successful; enforces XACML policies check  XACML policies are stored in dedicated XML files  Each policy owns information about the wrapped service and (optionally) SOAP action for which the policy applies Owns a list of policy rules; each rule can refer SAML token and/or SOAP (body) attributes values. ToolboxPEP XACML Policies

20 ESRIN, 15 July 2009 XACML example for EO EbRim profile (1/3) The target wrapped service for which this policy applies: wrs (Web Registry Service)

21 ESRIN, 15 July 2009 XACML example for EOLI (2/3) SAML attribute reference The target of this rule: commercial client If an owned condition evaluates to true than the effect of the rule is “deny” Condition about the collection

22 ESRIN, 15 July 2009 XACML example for EO EbRim profile (3/3) SOAP action for registry update

23 ESRIN, 15 July 2009 Slide 23 Agenda  Introduction  Work performed  Toolbox Security Architectural Overview  ATS and ATP Overview  Tests execution  OGC 07-118r1 0.0.4 impact  Open Actions review  Open discussion

24 ESRIN, 15 July 2009 Slide 24 Validation approach  The validation documentation is made up of 2 main building block: Abstract Test Suite for OGC 07-118r1 (ATS in brief) SVTS: Software Validation Testing Specification  ATS delivered as a separate document A unique ATS, merging multiple contributions, has been defined The ATS format and structure harmonized at the OGC level The ATS has been “instantiated” in an ETS (Executable Test Suite)  SVTS “complements” ATS E.g. non functional requirements, SW/HW specific aspects and further authorization tests.

25 ESRIN, 15 July 2009 Slide 25 ATS - 1  ATS addresses conformance tests The aim is to check that a service/product fulfills the clauses of an OGC Implementation Specification HMA-T services are tested against OGC 07-118r1 “clauses” covering authentication and authorization interfaces for EO products  ATS is usually structured according to class levels Mandatory elements are at the bottom conformance class level Classes shall be defined at the specification level, otherwise a unique core conformance class with all clauses is assumed For OGC 07-118 a unique conformance core class is defined

26 ESRIN, 15 July 2009 Slide 26 ATS - 2  ATS main aspects: Authentication capabilities provided by Identity Providers Authorization aspects enforced by Service Providers  ATS proposed structure: Module 1 for clauses addressing common protocols/specifications used Module 2 for authentication conformance tests Module 3 for authorization conformance tests

27 ESRIN, 15 July 2009 Slide 27 ATS – Module 1  ATS Module 1 Support for SOAP/HTTP or SOAP/HTTPS  SOAP version 1.1 in OGC 0.0.3 Support for SAML token  Embedded in WS-Security elements in SOAP header  Covering GMES minimum profile Support for encryption/hashing  AES-128 encryption algorithm and SHA-1 hash algorithm for signature  Tests for Module 1 encryption issues: SAML Token encrypted with public key of the Federating Entity SAML Token contents cannot be accessed without private key

28 ESRIN, 15 July 2009 Slide 28 ATS – Module 1  Inspect the wsdl to check support of security features WSDL should be extended with WS-policy description (in line with OASIS policy) Not applicable for checking SAML support of minimum profile  Test session with the IdP Couple of key for testing (private key from the EODAIL) Invasive: Identity Provider private key to be known for tests  To be checked if the same approach used for the SP can be used (keystore, alias and password provided as input to the CTL).

29 ESRIN, 15 July 2009 Slide 29 ATS – Module 2  ATS Module 2 Support for authentication requests  Explicit designated IdP –Federating entity –External entity  No IdP designated –Federating entity plays as the IdP  Tests for ATS Module 2 issues As in Module 1 Being related to Identity Provider capabilities, the Toolbox Security Layer ETS will not address this Module

30 ESRIN, 15 July 2009 Slide 30 ATS – Module 3  ATS Module 3 Support for authorization requests  Synchronous mode  Asynchronous mode (skipped. No support in the TEAM Engine)  ATS Module 3 issues Asynchronous behavior depends on the specific implementation service Authorization failures still need to be defined

31 ESRIN, 15 July 2009 Slide 31 SVTS Test Design Identifier Test Design TitleTest Case IdentifierTest Case Title TD_01Toolbox service security settingsTC_01_01Editing WS Security policies TC_01_02Editing XACML policies TD_02WS-SecurityTC_02_01SOAP Binding of the request/response messages TC_02_02SAML token encoding for authentication information TC_02_03Encryption algorithm for SAML token TC_02_04Digest algorithm for signing SAML tokens TC_02_05Encryption and signing for SAML tokens TD_03AuthorizationTC_03_01Authorization with synchronous response TC_03_02Authorization with asynchronous response TC_03_03Authorization request failure TD_04Protocol BindingTC_04_01Asymmetric binding assertion with X509 certificates TD_05Service access filtered via XACML policies TC_05_01Access to catalogue by collection name TC_05_02Access to catalogue by temporal coverage TC_05_03Access to catalogue by satellite criteria

32 ESRIN, 15 July 2009 Slide 32 Test Environment (1)  TEAM Engine deployed in Intecs End point http://hrt-11.pisa.intecs.it/Manager/ The installation requires cryptography extension to default java security support (from http://www.bouncycastle.org/) and a security library developed by Intecs (it will be made available on the OGC hma SVN)http://www.bouncycastle.org/  Test performed on an IDP simulator returning a SAML token agreed with the EODAIL (main structure + additional attributes added manually according to the GMES minimum profile)  Protected service: EbRIM Catalogue deployed in Intecs

33 ESRIN, 15 July 2009 Test Environment (2) Slide 33 The catalogue has been populated with the following metadata: Data belonging to years 2007 and 2008 Data belonging to collections: urn:ogc:def:EOP:ESA.TEST.ENVISAT_ASA_GMI_1S and urn:ogc:def:EOP:ESA.TEST.SPOT_ESA_MULTI Data belonging to satellite ENVISAT Data belonging to satellite SPOT with sensor HI or HV

34 ESRIN, 15 July 2009 Slide 34 Agenda  Introduction  Work performed  Toolbox Security Architectural Overview  ATS and ATP Overview  Tests execution  OGC 07-118r1 0.0.4 impact  Open Actions review  Open discussion

35 ESRIN, 15 July 2009 Input interface Slide 35

36 ESRIN, 15 July 2009 Execution results Slide 36

37 ESRIN, 15 July 2009 Slide 37 Agenda  Introduction  Work performed  Toolbox Security Architectural Overview  ATS and ATP Overview  Tests execution  OGC 07-118r1 0.0.4 impact  Open Actions review  Open discussion

38 ESRIN, 15 July 2009 Requirements: a look into the new OGC 0.0.4  New Synchronous Service request: compliant with HMAT-SRD- 1200-INT_1.2  New Asynchronous Service Request: requires requirements extension…but not clear; from the OGC specification: “The service provider creates a token authenticating himself.. and signs it with his private key. This is then encrypted with the public key of the DAIL and inserted into the asynchronous response in the same way as previously described for a service request”  how the creation of the (SAML) token has to be performed? Via the IDP?  is the SAML token really necessary for the asynchronous request? Could the signature be enough?

39 ESRIN, 15 July 2009 Slide 39 OGC 07-118r1 v.0.0.4: impact upon ATS  Authentication request use cases have been simplified: ATS Module 2 has to be simplified accordingly:  Explicit designated IdP –External entity  No IdP designated –Federating entity plays as the IdP.  Synchronous authorization request: small impact.  Asynchronous authorization request: needs to be covered by ATS, however the specification needs to be clarified first, in particular about SAML token in the asynchronous response.  Asynchronous support on TEAM Engine

40 ESRIN, 15 July 2009 Slide 40 Agenda  Introduction  Work performed  Toolbox Security Architectural Overview  ATS and ATP Overview  Tests execution  OGC 07-118r1 0.0.4 impact  Open Actions review  Open discussion

41 ESRIN, 15 July 2009 Open actions Slide 41 Provide input for storyboard to be used at FP.HMAT-MOM-2001-SPB A26To be done Upload slides on Wiki page with "project meetings".HMAT-MOM-2003-SPB A2Done Provide ERGO catalogue test endpoint for testsHMAT-MOM-2004-SPB A5 The ERGO catalogue only support SOAP. The CIM and EOP tests are mainly based on HTTP. Thus a lot of tests will fail. Anyway we are not able to guarantee the server availability (the ERGO catalogue is still under test). We propose to deploy a catalogue in ESA and to load it with the reference data. We could also provide a secured access to the catalogue via the PEP and define some XACML rules. Propose a single ATS document for UM ICD and collaborate on ETS.HMAT-MOM-2004-SPB A13Done Document feasible approach to run UM ICD tests taking into account privacy of private keys etc.HMAT-MOM-2004-SPB A26 Done for the SP. Still under discussion for the Idp. To be checked if the keystore exchange can be used in this context too.

42 ESRIN, 15 July 2009 Open actions Slide 42 Include example XACML policy files in the software delivery.HMAT-MOM-2004-SPB A29 The XACML files will be included in the wiki. We propose to create a page with the link to the catalogue client and a description of the tests that can be done with an example of the XACML file. This is possible if ESA will host the installation. Investigate whether client tests can be included as a group of tests in the ATS.HMAT-MOM-2004-SPB A31 No tests for the client have been defined. Perform an analysis of the new TEAM engine implementation.HMAT-MOM-2004-SPB A33 The TEAM Engine with the SOAP support has been integrated with the latest version of the TEAM Engine in May and has been made available on the sourceforge SVN. Include version and link to TEAM engine download on the HMA-T Baseline Wiki page.HMAT-MOM-2004-SPB A36Done Create OGC Change Request to the CTL specification 06-126 to cover SOAP extensios/tags.HMAT-MOM-2004-SPB A37Done Deliver UM ATS in format which can be included directly in OGC 07-118.HMAT-MOM-2008-SPB A1Done CNR to deliver test documentation as per ECSS mapping.HMAT-MOM-2008-SPB A11?????

43 ESRIN, 15 July 2009 Slide 43 Agenda  Introduction  Work performed  Toolbox Security Architectural Overview  ATS and ATP Overview  Tests execution  OGC 07-118r1 0.0.4 impact  Open Actions review  Open discussion

Download ppt "ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 AR Meeting 15 July 2009 S. Gianfranceschi, Intecs."

Similar presentations

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Peoplesoft: Building and Consuming Web Services

Peoplesoft: Building and Consuming Web Services
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.

SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
1 © Talend 2014 Service Registry / WS-Policy Registry Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 Service Registry / WS-Policy Registry Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
T-110.5140 Network Application Frameworks and XML Web Services and WSDL 02.04.2007 Sasu Tarkoma Based on slides by Pekka Nikander.

T Network Application Frameworks and XML Web Services and WSDL Sasu Tarkoma Based on slides by Pekka Nikander.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
THE GITB TESTING FRAMEWORK Jacques Durand, Fujitsu America | December 1, 2011 GITB |

THE GITB TESTING FRAMEWORK Jacques Durand, Fujitsu America | December 1, 2011 GITB |
An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.

An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.
SAML Right Here, Right Now Hal Lockhart September 25, 2012.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Similar presentations

Ads by Google