presented at: demonstrations and prototypes tim 7 presented by: dominic timoteo / shoeb jafri swim...

Presented at: Demonstrations and Prototypes TIM 7

Presented by: Dominic Timoteo / Shoeb Jafri SWIM Implementation Team

May 04, 2011

Federal AviationAdministration

SWIM Web Service Security Conformance Test Kit (CTK)

Demonstrations & Prototypes TIM 7 – SWIM Security CTK

2 Federal AviationAdministrationMay 04, 2011

What is CTK?

• The CTK is a testing tool that can be used to gauge that a message sender and/or message recipient meets the Web Service security requirements mandated by SWIM policy and described in the “SWIM Web Service Security Specification.”

• These policies have been created to:– simplify the integration and

management of services in the NAS, – increase the flexibility of the NAS

system-of-systems architecture, and – enable consistent approaches to

service security and management.

• Prototype for SWIM Segment 2



CTK WHY, WHEN, WHERE & HOW• WHY?

To test for Service & Client compliance with any SWIM Web Service Security profile specified in the SWIM Web Service Security Specification so potential problems in security implementations are identified and resolved as soon as possible

• WHEN? During the National Airspace System Service Registry/Repository (NSRR) Development

lifecycle stage

• WHERE?To be run by the developers at their site against their developed Web Service

• HOW?Attach/Upload generated compliance report to NSRR for approval by SWIM Governance

Note: Actional Team Server is run during the NSRR Verification lifecycle stage to check for SWIM Web Service-Interoperability (WS-I) Profile compliance.

Idea

Proposed Definition Development Verification

Production

Deprecated Retired

New ServiceConcept / Major or Minor Update

Approved forSWIM Service

Revision Update

In ServiceDecision

RetirementDecision

RetirementDate

CTK ReportFor

SWIM Security Profile

ATS ReportFor

SWIM WS-I Profile

SWIM Service Lifecycle Stages



CTK - Goals And Key Concepts• Provide capabilities to validate Web Services

security profiles according to SWIM Web Service Security Specification– Transport Level Security (TLS)– WS-Security Username Token (UT)– WS-Security Binary Security Token (BST)– Security Assertion Markup Language Token (SAML)

• Provide capabilities to demonstrate application and enforcement of SWIM security policies – Using WSDL that includes WS-Policy attachments– Creating validation report– Including positive/negative test suites

• Provide capabilities to validate 3rd party service providers– Security Token Service (STS)



SWIM SECURITY PROFILES



SECURITY PROFILE APPLICATION MATRIX



CTK – Testing Contexts Summary

• Multiple testing contexts (8)– Implemented on FUSE ESB 4.2, using FUSE Services

Framework and FUSE Mediation Router



Driver

• 3rd Party Service connected to CTK-Client

CTKCLIENTSERVICE

1

6

3

4

5 Evaluate Response Security

2 Evaluate Request Security

<< canonical service >>

Evaluator ReporterTest Driver

CTK Scope

Tested Component

Request

Response

<< proxy >>



Client-Server over HTTPS using BST

CTKCLIENT SERVICE1

2

3

4

5

6

Evaluate Request Security

Evaluate Response Security

Evaluator Reporter

CTK Scope

Tested Component

Request

Response

<< proxy >>

• Purpose: validate both client and server– SWIM WSS Profile: BST– Client and server protocol: HTTPS

• Setup / Configuration:– Direct Proxy Context

• CTK Harness: Proxy• CTK Test Suite; BST

• Result– 51 exchanges with expected pass/failure

presented at: demonstrations and prototypes tim 7 presented by: dominic timoteo / shoeb jafri swim...

Documents