presented at: demonstrations and prototypes tim 7 presented by: dominic timoteo / shoeb jafri swim...
TRANSCRIPT
Presented at: Demonstrations and Prototypes TIM 7
Presented by: Dominic Timoteo / Shoeb Jafri SWIM Implementation Team
May 04, 2011
Federal AviationAdministration
SWIM Web Service Security Conformance Test Kit (CTK)
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
2 Federal AviationAdministrationMay 04, 2011
What is CTK?
• The CTK is a testing tool that can be used to gauge that a message sender and/or message recipient meets the Web Service security requirements mandated by SWIM policy and described in the “SWIM Web Service Security Specification.”
• These policies have been created to:– simplify the integration and
management of services in the NAS, – increase the flexibility of the NAS
system-of-systems architecture, and – enable consistent approaches to
service security and management.
• Prototype for SWIM Segment 2
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
3 Federal AviationAdministrationMay 04, 2011
CTK WHY, WHEN, WHERE & HOW• WHY?
To test for Service & Client compliance with any SWIM Web Service Security profile specified in the SWIM Web Service Security Specification so potential problems in security implementations are identified and resolved as soon as possible
• WHEN? During the National Airspace System Service Registry/Repository (NSRR) Development
lifecycle stage
• WHERE?To be run by the developers at their site against their developed Web Service
• HOW?Attach/Upload generated compliance report to NSRR for approval by SWIM Governance
Note: Actional Team Server is run during the NSRR Verification lifecycle stage to check for SWIM Web Service-Interoperability (WS-I) Profile compliance.
Idea
Proposed Definition Development Verification
Production
Deprecated Retired
New ServiceConcept / Major or Minor Update
Approved forSWIM Service
Revision Update
In ServiceDecision
RetirementDecision
RetirementDate
CTK ReportFor
SWIM Security Profile
ATS ReportFor
SWIM WS-I Profile
SWIM Service Lifecycle Stages
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
4 Federal AviationAdministrationMay 04, 2011
CTK - Goals And Key Concepts• Provide capabilities to validate Web Services
security profiles according to SWIM Web Service Security Specification– Transport Level Security (TLS)– WS-Security Username Token (UT)– WS-Security Binary Security Token (BST)– Security Assertion Markup Language Token (SAML)
• Provide capabilities to demonstrate application and enforcement of SWIM security policies – Using WSDL that includes WS-Policy attachments– Creating validation report– Including positive/negative test suites
• Provide capabilities to validate 3rd party service providers– Security Token Service (STS)
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
5 Federal AviationAdministrationMay 04, 2011
SWIM SECURITY PROFILES
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
6 Federal AviationAdministrationMay 04, 2011
SECURITY PROFILE APPLICATION MATRIX
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
7 Federal AviationAdministrationMay 04, 2011
CTK – Testing Contexts Summary
• Multiple testing contexts (8)– Implemented on FUSE ESB 4.2, using FUSE Services
Framework and FUSE Mediation Router
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
8 Federal AviationAdministrationMay 04, 2011
Driver
• 3rd Party Service connected to CTK-Client
CTKCLIENTSERVICE
1
6
3
4
5 Evaluate Response Security
2 Evaluate Request Security
<< canonical service >>
Evaluator ReporterTest Driver
CTK Scope
Tested Component
Request
Response
<< proxy >>
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
9 Federal AviationAdministrationMay 04, 2011
Client-Server over HTTPS using BST
CTKCLIENT SERVICE1
2
3
4
5
6
Evaluate Request Security
Evaluate Response Security
Evaluator Reporter
CTK Scope
Tested Component
Request
Response
<< proxy >>
• Purpose: validate both client and server– SWIM WSS Profile: BST– Client and server protocol: HTTPS
• Setup / Configuration:– Direct Proxy Context
• CTK Harness: Proxy• CTK Test Suite; BST
• Result– 51 exchanges with expected pass/failure
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
10 Federal AviationAdministrationMay 04, 2011
REPORT: Test Result Summary: Client-Server over HTTPS using BST
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
11 Federal AviationAdministrationMay 04, 2011
REPORT: Test Suite Results Summary
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
12 Federal AviationAdministrationMay 04, 2011
REPORT: Message Exchange PASS Results
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
13 Federal AviationAdministrationMay 04, 2011
REPORT: Message Exchange FAIL Results
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
14 Federal AviationAdministrationMay 04, 2011
REPORT: Request PASS Result
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
15 Federal AviationAdministrationMay 04, 2011
REPORT: Request FAIL Result
Demonstrations & Prototypes TIM 7 – SWIM Security CTK
16 Federal AviationAdministrationMay 04, 2011
REPORT: Message