Presentation is loading. Please wait.

Presentation is loading. Please wait.

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.

Similar presentations


Presentation on theme: "ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs."— Presentation transcript:

1 ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs

2 ESRIN, 15 July 2009 Slide 2 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

3 ESRIN, 15 July 2009 Slide 3 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

4 ESRIN, 15 July 2009 Introduction  The Toolbox is a framework which facilitate the integration of web services in the HMA infrastructure.  The component that has been provided in this project is finalized of providing WS-Security at Ground Segment level, enabling existing GS to wrap and connect their own catalogues/services to the HMA infrastructure.  It implements OGC 07-118r1 0.0.5  Both internal (deployed on the Toolbox) and external (proxy) services can be secured with this extension. Slide 4

5 ESRIN, 15 July 2009 HMA Infrastructure high-level diagram Slide 5

6 ESRIN, 15 July 2009 Slide 6 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

7 ESRIN, 15 July 2009 Toolbox Architecture Application layer Gateway Asynchronous Operation Synchronous Operation Operation Service Asynchronous Operation Synchronous Operation Operation SOAP layer WS-Policy WS-Security Layer WS-Policy XACML Policy Application Security Layer XACML Policy

8 ESRIN, 15 July 2009 Toolbox Security Architecture  Axis2 as basic SOAP engine  Axis2 module Rampart (Apache Software Foundation) for WS-Security layer: its behaviour has been extended to cover the HMAT security requirements (HMAT- SRD-1200-INT_1.1)  ToolboxSecurityWrapper: Axis2 service with link to the Policy Enforcement Point (PEP, Application Security Layer) and Toolbox Application Layer Axis2 RAMPART 4HMAT RAMPART 4HMAT WS-Policy ToolboxSecurity Wrapper (Axis2 service) Service Description ToolboxPEP XACML Policies Toolbox Application Layer SOAP

9 ESRIN, 15 July 2009 Toolbox Security Architecture: Main Activities Allocation Slide 9 Security Layer 1 2 Check encrypted SAML existence, decrypt it. WS- Security signed- encrypted SOAP request 3 Enforce enterprise policies Toolbox Serve request (Application layer) 45 Fault Soap response verify SAML token Decrypted SAML, SOAP request/ac tion 6 Get SAML assertion Identity Provider Client ToolboxPDP XACML Policies RAMPART 4HMAT RAMPART 4HMAT WS-Policy

10 ESRIN, 15 July 2009 Toolbox Security Architecture: ToolboxPDP  ToolboxPDP: invoked by the ToolboxSecurityWrapper when WS-Security check is successful; enforces XACML policies check  XACML policies are stored in dedicated XML files  Each policy owns information about the wrapped service and (optionally) SOAP action for which the policy applies Owns a list of policy rules; each rule can refer SAML token and/or SOAP (body) attributes values. ToolboxPEP XACML Policies

11 ESRIN, 15 July 2009 XACML example for EO EbRim profile (1/3) The target wrapped service for which this policy applies: wrs (Web Registry Service)

12 ESRIN, 15 July 2009 XACML example for EO EbRim profile (2/3) SOAP action for registry update

13 ESRIN, 15 July 2009 Slide 13 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

14 ESRIN, 15 July 2009 Proxy patterns supported Service Toolbox PEP http requestresponse Secured Client External Service http requestresponse Service Toolbox PEP http requestresponse Secured Client External Service http requestresponse PEP The token can be not encrypted or encrypted with the public key of the receiver

15 ESRIN, 15 July 2009 General configuration Slide 15 This keystore should contains all the public key of the trusted IDP. The Toolbox uses this keys to check the signature. It loops on all the keys and go ahead only if a key allow checking the signature

16 ESRIN, 15 July 2009 Service creation: Catalogue proxy (1) Slide 16 Select the service name and click on Next Select the type of service and click on Next Enter a Service Abstract and a Service Description and click on next

17 ESRIN, 15 July 2009 Service creation: Catalogue proxy (2) Slide 17 Select the interface and click on Next Select the type of Service and click on Next Enter the security parameters and click on next Upload the keystore storing the service private KEY to be used to decrypt the incoming tokens. In case the service is configured as security proxy and the outgoing messages have to be re-encrypted the keystore should also contain the public key of the connected end point. Enter Alias and Password: - Alias is the identifier of the key in the keystore - Password of the keystore Enter Alias and Password: - Alias is the identifier of the key in the keystore - Password of the keystore XACML file specifying the filtering rules to be applied to the incoming messages.

18 ESRIN, 15 July 2009 Service creation: Catalogue proxy (3) Slide 18 Configure the type of proxy you want to create and click on configure Select the operation you want to proxy Tick this if you want to forward the message with the security token unencrypted Tick this if you want to forward the message with the security token encrypted using the key of the receiver (to be included in the keystore of the service and identified via the Alias below) End point of the receiver Alias of the key to be used to encrypt the security token

19 ESRIN, 15 July 2009 Slide 19 Agenda  Introduction  Toolbox Security Overview  Security Service Creation  Security Demo

20 ESRIN, 15 July 2009 Slide 20 Security demo Catalogue Service Toolbox PEP http request response Secured Client ERGO catalogue http request response Simulated IDP http request response VIDEO


Download ppt "ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs."

Similar presentations


Ads by Google