OGC ® Engineering Report OGC 12-118 Copyright © 2013 Open Geospatial Consortium 1 5 SSI Thread Security For the SSI Thread in OWS‐9, the security approach focused on testing interoperability of standards based interfaces between software products of different vendors and different security protocols, involving Message Level Security with WS‐Security and Transport Level Security. Also, the execution of XACML 2 based policies on different vendors Policy Decision Points was evaluated regarding interopeability.

5.1 Architecture Overview

The following figure illustrates the initial, high level architecture which is meant to be used for exploring more details. Figure 1— Initial Security Architecture for the SSI thread As outlined in the figure above, the architecture above comprises of the following software components: PAP Policy Administration Point: Copyright © 2013 Open Geospatial Consortium 2 This service enables a security administrator to define access rights described in XACML 2.0 or GeoXACML 1.0. For this purpose, a thin client application is available that provides pro‐active support for the administrator. The following screen shot illustrates the client: Figure 2 — Initial Security Architecture for the SSI thread The illustrated example provides a tree view of a XACML 2.0 policy for enforcing access rights to a WFS, where access is restricted to a set of IP adresses white listing. Using the client to explore the policy in more details would show that the policy gets enforced when the client ip address is one of the listed addresses. The Condition evaluates to true and the enclosing Rule elements instruments the PDP to derive a “PERMIT” authorization decision. In case that the Condition does not match – so a client not having a listed ip address ‐ , the Rule “default:deny” would instrument the PDP to return a “DENY” decision. The PAP does provide a Web Service endpoint that supports requesting a XACML 2.0 or GeoXACML 1.0 policy based on the PolicyId or PolicySetId attribute. PDP Policy Decision Point: Copyright © 2013 Open Geospatial Consortium 3 The Policy Decision Point is responsbile for deriving an authorization decision based on the information provided in the authorization decision request that was received from the PEP and the Policy that was loaded from the PAP. If the PDP is a XACML 2.0 compliant implementation, it will accept XACML 2.0 policies. If the PDP is a GeoXACML 1.0 compliant implementation, it will accept a GeoXACML 1.0 or a XACML 1.0 policy. PEP Policy Enforcement Point: The Policy Enforcement Point is responsible for rejecting or accepting requests from a client to a service that is protected by the PEP. For OWS‐9, the PEP is also responsible for modifying intercepted requests to the service or intercepted responses from the service according to XACML 2.0 Obligations that are expressed in the authorization decision that was received from the PDP. STS Secure Token Service: The Secure Token Service is responsible for releasing access tokens to amend messages to the PEP which is expecting WS‐Security conforme SOAP messages.

5.2 Use Case Data Sets Access Restrictions