OGC
®
OWS-9 Security Engineering Report
1 Introduction
1.1 Scope
This Engineering Report describes the approaches to security taken in the OWS-9 initiative. This document presents the results of the work within the OWS-9 Security and
Services Interoperability SSI thread and results from CCI and Innovations Cross Thread activities.
The report also describes the various tasks and their results regarding interoperability between different security components provided by different participants.
1.2 Document contributor contact points
All questions regarding this document should be directed to the editor or the contributors:
Name Organization
Andreas Matheus University of the Bundeswehr
Jan Drewnak, Rüdiger Gartmann con terra
Thomas Dineen LMCO
1.3 Revision history
Date Release
Editor Primary clauses
modified Description
20.07.2012 0.1 AM
First working draft 24.09.2012
- 27.11.2012
0.2 AM
Second working draft – incoperating comments received
Section 5.4 diagrams and text is provided by GEOAxIS and reviewed by con terra
Figures 5.2.1 and 5.2.2 are provided by GEOAxIS and reviewed by con terra
07.12.2012 03 JD, RG
5.4.1, 5.6‐ 5.8, 7.3.
Details on the con terra contribution TD
5.6.1, 5.7.1, 5.8.1
Details on the GEOAxIS contribution
1.4 Future work
Copyright © 2013 Open Geospatial Consortium
10
1.5 Forward
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The Open Geospatial Consortium shall not be held
responsible for identifying any or all such patent rights.
Recipients of this document are requested to submit, with their comments, notification of any relevant patent claims or other intellectual property rights of
which they may be aware that might be infringed by any implementation of the standard set forth in this document, and to provide supporting documentation.
2 References
The following documents are referenced in this document. For dated references, subsequent amendments to, or revisions of, any of these publications do not apply.
For undated references, the latest edition of the normative document referred to applies.
OASIS XACML 2.0 https:www.oasis‐open.orgcommitteesxacml
OGC GeoXACML 1.0.1 http:portal.opengeospatial.orgfiles?artifact_id=42734
OGC CSW 2.0.2 http:portal.opengeospatial.orgfiles?artifact_id=20555
OGC WFS 2.0 http:portal.opengeospatial.orgfiles?artifact_id=39967
OGC OWS Context used version is not
publicaly available
3 Terms and definitions
For the purposes of this report, the definitions specified in Clause 4 of the OWS Common Implementation Standard [OGC 06‐121r3] and the listed specifications
from section 3 References shall apply. In addition, the following terms and definitions apply.
Context Handler ‐ The system entity that converts decision requests in the native
request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format
Obligation ‐ An operation specified in a rule, policy or policySet element that should
be performed by the Obligation Handler in conjunction with the enforcement of an authorization decision
Policy ‐ A set of rules, an identifier for the rule‐combining algorithm and
optionally a set of obligations. May be a component of a policy set
Policy Administration Point PAP ‐ The system entity that creates a policy or
policy set
Policy Decision Point PDP ‐ The system entity that evaluates applicable policy
and renders an authorization decision.
Copyright © 2013 Open Geospatial Consortium
11
Policy Enforcement Point PEP ‐ The system entity that performs access control,
by making decision requests and enforcing authorization decisions.
Policy information point PIP ‐ The system entity that acts as a source of
attribute values
Rule ‐ A target, an effect, a condition and obligations. A component of a policy 4 Conventions
AD Authorization decision
ADR Authorization decision request
CCI Cross Community Interoperability
CSW Catalogue Service for the Web
GeoPDP PDP implementing GeoXACML
GeoXACML Geospatial eXtensible Access Control Markup Language
GML Geography Markup Language
HRP Hierarchical Resource Profile
MRP Multiple Resource Profile
OASIS Organization for the Advancement of Structured
Information Standards
OGC Open Geospatial Consortium
OWS OGC Web Service
OWS‐6789 OGC Web Services Initiative, Phase 6789
PAP Policy Administration Point
PDP Policy Decision Point implementing XACML
PEP Policy Enforcement Point
SDI Spatial Data Infrastructure
SOA Service Oriented Architecture
SSI Security and Services Interoperability
URL Uniform Resource Locator
URN Uniform Resource Names
WFS‐T Web Feature Service ‐Transactional
XACML eXtensible Access Control Markup Language
XML eXtensible Markup Language
OGC
®
Engineering Report OGC 12-118
Copyright © 2013 Open Geospatial Consortium
1
5 SSI Thread Security
For the SSI Thread in OWS‐9, the security approach focused on testing interoperability of standards based interfaces between software products of
different vendors and different security protocols, involving Message Level Security with WS‐Security and Transport Level Security.
Also, the execution of XACML 2 based policies on different vendors Policy Decision Points was evaluated regarding interopeability.
5.1 Architecture Overview