Presentation is loading. Please wait.

Presentation is loading. Please wait.

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.

Published byDaniel York Modified over 8 years ago

Similar presentations

Presentation on theme: "ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs."— Presentation transcript:

1 ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs

2 ESRIN, 15 July 2009 Slide 2 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

3 ESRIN, 15 July 2009 Slide 3 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

4 ESRIN, 15 July 2009 Introduction  The Toolbox is a framework which facilitate the integration of web services in the HMA infrastructure.  The component that has been provided in this project is finalized of providing WS-Security at Ground Segment level, enabling existing GS to wrap and connect their own catalogues/services to the HMA infrastructure.  It implements OGC 07-118r1 0.0.5  Both internal (deployed on the Toolbox) and external (proxy) services can be secured with this extension. Slide 4

5 ESRIN, 15 July 2009 HMA Infrastructure high-level diagram Slide 5

6 ESRIN, 15 July 2009 Slide 6 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

7 ESRIN, 15 July 2009 Toolbox Architecture Application layer Gateway Asynchronous Operation Synchronous Operation Operation Service Asynchronous Operation Synchronous Operation Operation SOAP layer WS-Policy WS-Security Layer WS-Policy XACML Policy Application Security Layer XACML Policy

8 ESRIN, 15 July 2009 Toolbox Security Architecture  Axis2 as basic SOAP engine  Axis2 module Rampart (Apache Software Foundation) for WS-Security layer: its behaviour has been extended to cover the HMAT security requirements (HMAT- SRD-1200-INT_1.1)  ToolboxSecurityWrapper: Axis2 service with link to the Policy Enforcement Point (PEP, Application Security Layer) and Toolbox Application Layer Axis2 RAMPART 4HMAT RAMPART 4HMAT WS-Policy ToolboxSecurity Wrapper (Axis2 service) Service Description ToolboxPEP XACML Policies Toolbox Application Layer SOAP

9 ESRIN, 15 July 2009 Toolbox Security Architecture: Main Activities Allocation Slide 9 Security Layer 1 2 Check encrypted SAML existence, decrypt it. WS- Security signed- encrypted SOAP request 3 Enforce enterprise policies Toolbox Serve request (Application layer) 45 Fault Soap response verify SAML token Decrypted SAML, SOAP request/ac tion 6 Get SAML assertion Identity Provider Client ToolboxPDP XACML Policies RAMPART 4HMAT RAMPART 4HMAT WS-Policy

10 ESRIN, 15 July 2009 Toolbox Security Architecture: ToolboxPDP  ToolboxPDP: invoked by the ToolboxSecurityWrapper when WS-Security check is successful; enforces XACML policies check  XACML policies are stored in dedicated XML files  Each policy owns information about the wrapped service and (optionally) SOAP action for which the policy applies Owns a list of policy rules; each rule can refer SAML token and/or SOAP (body) attributes values. ToolboxPEP XACML Policies

11 ESRIN, 15 July 2009 XACML example for EO EbRim profile (1/3) The target wrapped service for which this policy applies: wrs (Web Registry Service)

12 ESRIN, 15 July 2009 XACML example for EO EbRim profile (2/3) SOAP action for registry update

13 ESRIN, 15 July 2009 Slide 13 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

14 ESRIN, 15 July 2009 Proxy patterns supported Service Toolbox PEP http requestresponse Secured Client External Service http requestresponse Service Toolbox PEP http requestresponse Secured Client External Service http requestresponse PEP The token can be not encrypted or encrypted with the public key of the receiver

15 ESRIN, 15 July 2009 General configuration Slide 15 This keystore should contains all the public key of the trusted IDP. The Toolbox uses this keys to check the signature. It loops on all the keys and go ahead only if a key allow checking the signature

16 ESRIN, 15 July 2009 Service creation: Catalogue proxy (1) Slide 16 Select the service name and click on Next Select the type of service and click on Next Enter a Service Abstract and a Service Description and click on next

17 ESRIN, 15 July 2009 Service creation: Catalogue proxy (2) Slide 17 Select the interface and click on Next Select the type of Service and click on Next Enter the security parameters and click on next Upload the keystore storing the service private KEY to be used to decrypt the incoming tokens. In case the service is configured as security proxy and the outgoing messages have to be re-encrypted the keystore should also contain the public key of the connected end point. Enter Alias and Password: - Alias is the identifier of the key in the keystore - Password of the keystore Enter Alias and Password: - Alias is the identifier of the key in the keystore - Password of the keystore XACML file specifying the filtering rules to be applied to the incoming messages.

18 ESRIN, 15 July 2009 Service creation: Catalogue proxy (3) Slide 18 Configure the type of proxy you want to create and click on configure Select the operation you want to proxy Tick this if you want to forward the message with the security token unencrypted Tick this if you want to forward the message with the security token encrypted using the key of the receiver (to be included in the keystore of the service and identified via the Alias below) End point of the receiver Alias of the key to be used to encrypt the security token

19 ESRIN, 15 July 2009 Slide 19 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

20 ESRIN, 15 July 2009 Slide 20 Security demo Catalogue Service Toolbox PEP http request response Secured Client ERGO catalogue http request response Simulated IDP http request response VIDEO

Download ppt "ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs."

Similar presentations

Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma

Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number 09-017 Norman F. Brickman, Roger.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.
NextGRID & OGSA Data Architectures: Example Scenarios Stephen Davey, NeSC, UK ISSGC06 Summer School, Ischia, Italy 12 th July 2006.

NextGRID & OGSA Data Architectures: Example Scenarios Stephen Davey, NeSC, UK ISSGC06 Summer School, Ischia, Italy 12 th July 2006.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
Peoplesoft: Building and Consuming Web Services

Peoplesoft: Building and Consuming Web Services
Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.

Secure Web Services Akylbek Zhumabayev Rochester Institute of Technologies.
Web services security I

Web services security I
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
1 © Talend 2014 Service Registry / WS-Policy Registry Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 Service Registry / WS-Policy Registry Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Similar presentations

Ads by Google