Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
WS-Security Practical lessons from the frontline with the Government Gateway Government Gateway Overview Jerry Fishenden Industry Strategy Consultant Government and Education Microsoft UK Before the Government Gateway Regional and local government National assemblies Citizen Central government departments Broad Identity (ID) Management and Messaging/Transaction Issues massively scalable – national populations range from <1m to >c.1bn needs to tackle: authentication (we know who the person is) authorisation (we know they are entitled to use the service) the capacity they’re operating in (ie. their role) varied credential types (userID/password, digital certificate, bioauthentication) issued potentially by various (trusted) parties needs to support delegated rights: to third parties (agents / intermediaries acting on behalf of people) to assistants within an organisation (subsets of user rights) reliable, secure, two-way transactional sync and async messaging between citizens, businesses, intermediaries and government The Government Gateway Provides the UK Government’s eservices agenda with: cross-government identity management authentication authorisation delegated rights and roles for citizens, businesses, intermediaries and government employees messaging and transaction facilities for: citizen-to-government (C2G) business-to-government (B2G) government-to-government (G2G) Gateway Standards are e-GIF standards Metadata Framework Security Framework Data Interoperability (XML) Management & Operations the UK has adopted open standards as the way to underpin its eGovernment programme. Key elements of this include: metadata framework: Dublin Core / W3C Resource Description Framework security framework: ISO/IEC 17799:2000 information technology, code of practice for information security management, Common Criteria data interoperability: IETF, W3C, WS-I, OASIS interoperability standards (eg. XML, SOAP) management and operations: OGC ITIL these standards – published in the e-Government Interoperability Framework (eGIF) underpin the Government Gateway’s technical design Government Gateway Overview Government Gateway ID Management Channels & Devices (Authentication & Authorisation) Mobiles Phones authentication / authorisation authentication / authorisation PC Portals Citizen Internet document submissions / data interactions Local Authority Government Gateway Messaging & Interoperability (Transaction Engine) IR PDAs TV Call Centres etc DWP Gateway Overview Gateway Department Local Authority PC & third party applications Portal Applications A&A web service the Government Gateway is designed as a piece of ‘middleware’ and exposes its authentication / authorisation functionality through programmatic interfaces built using web services the authentication / authorisation web service interface defines a variety of methods for authentication and authorisation of users is uses open standards WS-*: WS-Security, WSTrust, WS-Policy the model is designed to provide the basis for a single sign-on (SSO) framework suitable for both web services and web sites it has over 4m user accounts and is designed to scale to 60m+ Government Gateway Transaction Engine provides a single, consistent point of interaction for all citizen to government business to government government to government online services XML in/out – uses UK Government GovTalk reliable end-to-end messaging from point of origination to delivery uses authentication and authorisation engine to validate messages validates, authenticates and routes XML messages between connected parties (C2G, B2G, G2G) calls R&E (A&A) for authentication and authorisation provides audit, message tracking all interfaces use open interoperability standards – XML, HTTP, SOAP handling millions of messages per annum (tax returns, claim forms, etc) Live examples of Gateway-SSO sites and applications The Government Gateway James Brown [email protected] Senior Developer Solidsoft Overview Why use WS Standards? What are the WS Standards? Microsoft WSE 2.0 Lessons learnt The Government Gateway and Web Services Existing SOAP interface Need to replicate all the functionality of the UI and more as a Web Service Version 1.65 Requirements for Web Service Adhere to Open Standards Supported by a wide range of companies Easy to implement Microsoft WSE 2.0 Easy to develop against Toolkits available from multiple vendors Future-proof Ever increasing list of standards More companies are joining the process Future Microsoft products are utilizing the standards What are the WS Standards? Too many to list here Composability, just use the WS-* standards that you need How do they manifest themselves All contained in the Soap Envelope Header Body Encapsulates everything required in a single XML document All using current technologies and practices WS-I www.ws-i.org set up by Microsoft and IBM Provide clarity on specifications Publish guidelines Coordinate specs Sample Applications Test Tools Special Interest Groups WS-I “If you're an infrastructure player and don't buy into the WS-I group, don't even show up we won't do business with you.” Merrill Lynch CTO John McKinley http://news.com.com/2009-1001-983559.html WS-Addressing What is WS-Addressing? Basic problems that we face How do we get a SOAP message from A-B How do we deal with reply's and errors These start to become real problems when disparate systems are communicating How is this problem solved? WS-Security What is WS-Security? WS-Security describes enhancements to SOAP messaging to provide: Message Integrity Message Confidentiality Single Message Authentication Tokens Assert Claims Username Public Keys Proof of Possession Passwords Private Keys Tokens Username Tokens Binary Security Tokens X509 Tokens Kerberos Tokens Custom XML Tokens SAML Tokens Gateway Tokens WS-Trust What is WS-Trust? Defines the means by which a service can delegate the authentication of credentials to another party Scope of Trust Client presents a username token and requests a custom token STS STS returns a CustomToken Scope of Trust User Client presents custom token with each SOAP function call Gateway Gateway Token <GatewayToken> <Created>2004-08-22T17:35:18Z</Created> <Expires>2004-08-22T21:35:18Z</Expires> <Usage>Standard<Usage> <Opaque> <CredentialIdentifier>5KU74UF..</CredentialIdentifier> Lksjhvcnf7842jmnrfyunwe9yu378yt6943y3e… </Opaque> <tSchemeLevel>1</tSchemeLevel> </Token> <Nonce>ft45t……</Nonce> <hMAC>ygk1…….<hMAC> </Opaque> </Token> WS-Policy What is WS-Policy? A way to advertise and enforce the policies of your site Message Age Types of tokens Lifetime of tokens Which elements need to be signed Complex: <Or>, <ExactlyOne> XML Based Send-side and Receive-side Microsoft Web Services Enhancements 2.0 WSE WSE 2.0 Designed to bring advanced Web Services technologies based on standard protocols to developers Integrates with Visual Studio .NET and .NET Framework What do you get with WSE? WS-Addressing WS-Security WS-Policy WS-SecurityPolicy WS-Trust WS-SecureConversation WS-Referral WS-Attachments Interoperability WSE 2.0 Applications can be hosted in multiple environments ASP.NET Winforms NT Services Multiple Transports Raw tcp http Low Level API’s How does WSE work? SoapContext Custom Policy Referral Security Trace Security Token Manager Custom Filters User Code How does WSE work? SoapContext Security Token Manager Trace Security Referral Custom Filters Policy Custom User Code Security Token Managers UsernameTokenManager X509TokenManager Custom SecurityTokenManager Simple Web Service Government Gateway and WSE Custom Filters EIF Tracing Check on Custom Token count (added in WSE2.0 sp1) CustomSecurityTokenService Distributes GatewayTokens UsernameTokenManager Validates Username/Password against database X509TokenManager Validates signature and certificate CustomTokenManager Used to validate GatewayTokens Policy files Lessons Learnt… WSE Config files No room for error Mainly an issue early on in the project Certificates Permissions .cer files Performance Time difference between servers Servers on a domain do not sync accurately enough Lessons Learnt… Interoperability Use SOAP as a message delivery mechanism not RPC Design the message XML first Specifications Still evolving Not all are ratified Start-up times Easy to miss in testing Web farms make it worse Resources www.msdn.microsoft.com/webservices Public Groups - microsoft.public.dotnet.framework.webservices.enhancements Blogs Hervey Wilson Simon Guest Aaron Skonnard Sample applications ship with WSE 2.0 Resources Reflection http://www.aisto.com/roeder/dotnet Tools with WSE 2.0 Policy editors Config editors Certificate manager Books Expert Service-Orientated Architecture in C#: Using the Web Services Enhancements 2.0 (APress) Secure Code 2 (Microsoft Press) © 2003 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary .