OGC ® OWS-9 Security Engineering Report 1 Introduction

1.1 Scope

This Engineering Report describes the approaches to security taken in the OWS-9 initiative. This document presents the results of the work within the OWS-9 Security and Services Interoperability SSI thread and results from CCI and Innovations Cross Thread activities. The report also describes the various tasks and their results regarding interoperability between different security components provided by different participants.

1.2 Document contributor contact points

All questions regarding this document should be directed to the editor or the contributors: Name Organization Andreas Matheus University of the Bundeswehr Jan Drewnak, Rüdiger Gartmann con terra Thomas Dineen LMCO

1.3 Revision history

Date Release Editor Primary clauses modified Description 20.07.2012 0.1 AM First working draft 24.09.2012 - 27.11.2012 0.2 AM Second working draft – incoperating comments received Section 5.4 diagrams and text is provided by GEOAxIS and reviewed by con terra Figures 5.2.1 and 5.2.2 are provided by GEOAxIS and reviewed by con terra 07.12.2012 03 JD, RG 5.4.1, 5.6‐ 5.8, 7.3. Details on the con terra contribution TD 5.6.1, 5.7.1, 5.8.1 Details on the GEOAxIS contribution

1.4 Future work

Copyright © 2013 Open Geospatial Consortium 10

1.5 Forward

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The Open Geospatial Consortium shall not be held responsible for identifying any or all such patent rights. Recipients of this document are requested to submit, with their comments, notification of any relevant patent claims or other intellectual property rights of which they may be aware that might be infringed by any implementation of the standard set forth in this document, and to provide supporting documentation. 2 References The following documents are referenced in this document. For dated references, subsequent amendments to, or revisions of, any of these publications do not apply. For undated references, the latest edition of the normative document referred to applies. OASIS XACML 2.0 https:www.oasis‐open.orgcommitteesxacml OGC GeoXACML 1.0.1 http:portal.opengeospatial.orgfiles?artifact_id=42734 OGC CSW 2.0.2 http:portal.opengeospatial.orgfiles?artifact_id=20555 OGC WFS 2.0 http:portal.opengeospatial.orgfiles?artifact_id=39967 OGC OWS Context used version is not publicaly available 3 Terms and definitions For the purposes of this report, the definitions specified in Clause 4 of the OWS Common Implementation Standard [OGC 06‐121r3] and the listed specifications from section 3 References shall apply. In addition, the following terms and definitions apply. Context Handler ‐ The system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format Obligation ‐ An operation specified in a rule, policy or policySet element that should be performed by the Obligation Handler in conjunction with the enforcement of an authorization decision Policy ‐ A set of rules, an identifier for the rule‐combining algorithm and optionally a set of obligations. May be a component of a policy set Policy Administration Point PAP ‐ The system entity that creates a policy or policy set Policy Decision Point PDP ‐ The system entity that evaluates applicable policy and renders an authorization decision. Copyright © 2013 Open Geospatial Consortium 11 Policy Enforcement Point PEP ‐ The system entity that performs access control, by making decision requests and enforcing authorization decisions. Policy information point PIP ‐ The system entity that acts as a source of attribute values Rule ‐ A target, an effect, a condition and obligations. A component of a policy 4 Conventions AD Authorization decision ADR Authorization decision request CCI Cross Community Interoperability CSW Catalogue Service for the Web GeoPDP PDP implementing GeoXACML GeoXACML Geospatial eXtensible Access Control Markup Language GML Geography Markup Language HRP Hierarchical Resource Profile MRP Multiple Resource Profile OASIS Organization for the Advancement of Structured Information Standards OGC Open Geospatial Consortium OWS OGC Web Service OWS‐6789 OGC Web Services Initiative, Phase 6789 PAP Policy Administration Point PDP Policy Decision Point implementing XACML PEP Policy Enforcement Point SDI Spatial Data Infrastructure SOA Service Oriented Architecture SSI Security and Services Interoperability URL Uniform Resource Locator URN Uniform Resource Names WFS‐T Web Feature Service ‐Transactional XACML eXtensible Access Control Markup Language XML eXtensible Markup Language OGC ® Engineering Report OGC 12-118 Copyright © 2013 Open Geospatial Consortium 1 5 SSI Thread Security For the SSI Thread in OWS‐9, the security approach focused on testing interoperability of standards based interfaces between software products of different vendors and different security protocols, involving Message Level Security with WS‐Security and Transport Level Security. Also, the execution of XACML 2 based policies on different vendors Policy Decision Points was evaluated regarding interopeability.

5.1 Architecture Overview