Presentation is loading. Please wait.

Presentation is loading. Please wait.

National Forest Information System Système national d'information forestière DACS A Distributed Access Control System for Secure Delivery of Web Services.

Similar presentations


Presentation on theme: "National Forest Information System Système national d'information forestière DACS A Distributed Access Control System for Secure Delivery of Web Services."— Presentation transcript:

1 National Forest Information System Système national d'information forestière DACS A Distributed Access Control System for Secure Delivery of Web Services in a Federated Organization An initiative of the Canadian Council of Forest Ministers’ (CCFM) National Forest Information System (NFIS)

2 National Forest Information System Système national d'information forestière CCFM-NFIS VISION Acquire Integrate Analyze Model Disseminate Report Authoritative Transparent Secure Distributed Autonomous NFIS Vision

3 National Forest Information System Système national d'information forestière NFIS Development Requirements Operating Guidelines International Standards (OGC, ISO, etc.) CGDI Principles Vendor neutrality Open Source Absolute Requirements Security (DACS) Minimal impact on business practices Branding

4 National Forest Information System Système national d'information forestière The NFIS Federation Federal, Provincial and Territorial Governments, NGOs & private-sector agencies cooperating in the delivery of national forest information on the Web Low participation overhead Member agencies retain autonomy of business practice & technology.

5 National Forest Information System Système national d'information forestière DACS is implemented as network of trusted servers delivering interoperable Web services. All servers in the NFIS federation share the nfis.org domain. Provides sustainable forest management and spatial analysis services based on OpenGIS WMS, WFS, WCS, etc. The NFIS Federation

6 National Forest Information System Système national d'information forestière What is DACS? DACS is a distributed access control framework developed for NFIS to facilitate secure sharing of Web services: –any static or computational resource available through a Web server using HTTPS. –a web page, document, CGI/ASP program, Java servlet, database query, file upload/download, generated image, DACS operation, etc. DACS supports: authentication, single sign-on and access control

7 National Forest Information System Système national d'information forestière What is a DACS Federation ? A federation is composed of one or more trusted jurisdiction(s). A jurisdiction is an autonomous administrative entity providing authentication services for its users and assigning access to its Web services. A jurisdiction can be an organization, department, or work group, or an individual. Interaction between jurisdictions is secured by DACS though an extended Web server.

8 National Forest Information System Système national d'information forestière DACS Authentication Mechanism A jurisdiction authenticates its users using existing mechanisms (e.g., login/password, X.509 certificate, etc.). If authentication is successful, DACS returns encrypted credentials to identify a user. These credentials must be included in subsequent service requests initiated by that user.

9 National Forest Information System Système national d'information forestière DACS Features 1.All jurisdictions have full access control of their respective web resources. Each jurisdiction: controls access to their own information resources and Web services. defines and authenticates their own users. retains full access control decisions under its authority. leverages its existing authentication technologies (e.g., Microsoft ADS & NTLM, Radius, LDAP, PKI, etc.).

10 National Forest Information System Système national d'information forestière 2. Users are authenticated only once per NFIS session. 3. Users’ network identity is derived from jurisdictional identity. 4. Authentication and access control is supported by all common web browsers and can be leveraged by custom web applications. DACS Features (continued)

11 National Forest Information System Système national d'information forestière 5. Low cost of entry –Uses commonly available software components – Apache/OpenSSL, common web browsers, etc. –Minimizes required changes to business practices. –Is extensible without retooling existing NFIS infrastructure. DACS Features (continued)

12 National Forest Information System Système national d'information forestière Access control: Who, what, how Who is making the request ? –User network identity –Membership in user groups What is being accessed ? –Any Web service described by a URL: https://bc.nfis.org/wildfire/index.jsp https://ca.nfis.org/cubestor/cubeserv.cgi How is it being accessed ? –Access rules specify Who, What, How

13 National Forest Information System Système national d'information forestière Who: DACS Users Each user has a “home jurisdiction” Jurisdictions have a well-known, unique, name officially assigned within the NFIS network: –NFIS:AB, NFIS:BC, NFIS:CFS Users are authenticated by a server in their home jurisdiction User identity = Jurisdiction + Username –NFIS:CFS:jdechka

14 National Forest Information System Système national d'information forestière Who: User network login User may be challenged to authenticate at any NFIS portal (member server): –User provides username/password, X.509 certificate, etc. relative to home jurisdiction. –Portal forwards authentication request to appropriate DACS server at home jurisdiction; home jurisdiction authentication is applied. Single sign-on –On success, user obtains NFIS network-wide credentials.

15 National Forest Information System Système national d'information forestière Who: User credentials Based on Netscape cookie specification –Requires participating Web servers to be known by a common domain name suffix (e.g., cfs.nfis.org, ab.nfis.org, sk.nfis.org …). Credentials may expire or may be revoked by the authenticating jurisdiction

16 National Forest Information System Système national d'information forestière Assign thematic access rights to users within a jurisdiction and spanning jurisdictions, e.g., –NFIS:SK:TimberSupply, –NFIS:Common:ASMFire, –NFIS:Common:NFI Who: DACS User Groups Group membership –explicitly defined within the jurisdiction –comprised of any NFIS user or group –propagated to each jurisdictional server Local Regional National

17 National Forest Information System Système national d'information forestière SK Users SK Timber Supply Who: DACS User Groups

18 National Forest Information System Système national d'information forestière AB Users SK Users MB Users SK Timber Supply ASM Fire Who: DACS User Groups

19 National Forest Information System Système national d'information forestière SK Timber Supply ASM Fire NFIS National Forest Inventory AB Users SK Users MB Users Who: DACS User Groups

20 National Forest Information System Système national d'information forestière How: DACS Access Control Rules Access control rules provide syntax for: –Specify Who (user or group), –What (URL or URL pattern), and –How: refer to elements of user credentials (e.g., username, jurisdiction) or environment (e.g., the user’s IP address) refer to service request parameters (e.g., Layer=“Forest Cover”, scale > 10000) specify additional parameters for an invoked program

21 National Forest Information System Système national d'information forestière How DACS Works User equipped with web-based application connects to DACS- enhanced Web server. User enters valid ”user name / password” or passes X.509 certificate. DACS authenticates user, sends “cookie” to client application on success. Client application formulates service requests. DACS applies access control rules to HTTP/S Get/Post request. If granted, service request is processed normally. DACS ensures user credentials are passed along with the request.

22 National Forest Information System Système national d'information forestière “cookie” Web Services Secure Web Service SSL over the Internet DACS – Alberta Jurisdiction ab.nfis.org DACS – Nova Scotia Jurisdiction ns.nfis.org DACS – Ontario Jurisdiction on.nfis.org DACS Federation nfis.org User Applications SSL over the Internet WMS Request With previously assigned “Cookie” NFIS:AB:phil Sign On DACs and Single Sign- On Ontario Web Services WMS Response User NFIS:AB:Phil Authentication Access Control

23 National Forest Information System Système national d'information forestière Summary DACS is a distributed access control framework that: –Leverages existing authentication mechanisms of member jurisdictions –Spans jurisdictions –Allows users to access resources at different jurisdictional nodes without having to re- authenticate. –Leaves access control decisions under jurisdictional authority.

24 National Forest Information System Système national d'information forestière DACS Originally developed under contract to Canada’s National Forest Information System by DSS Distributed Systems Software Inc. Deployed for +24 months on operational NFIS Network: Used to “wrap” NFIS OGC WMS service, National Forestry Database, MARS Collaborative Web Site, etc. DACS framework formed basis of OGC Draft Interoperability Report OGC 03 ‑ 038 –OGC Distributed Access Control System (DACS) DIPR, Edric Keighan, ed., February 4, 2003

25 National Forest Information System Système national d'information forestière DACS Status Current DACS Development Initiatives: 1.Functionality extension, packaging and commercialization by DSS Distributed Systems Software, Inc. (http://www.dss.bc.ca) 2.Functionality extension, packaging and commercialization by CubeWerx Inc. (http://www.cubewerx.com) under a GeoInnovations (http://www.geoconnections.org) contract to produce the DACS-in-a-Box product

26 National Forest Information System Système national d'information forestière Further information: NFIS CCFM GeoConnections CubeWerx DSS


Download ppt "National Forest Information System Système national d'information forestière DACS A Distributed Access Control System for Secure Delivery of Web Services."

Similar presentations


Ads by Google