Copyright © 2013 Open Geospatial Consortium 7

5.4.1 GEOAxIS PEP – con terra PDP communication protocol

The con terra PDP accepts XACML 2.0 compliant Authorization Decision Requests ADR using HTTP POST. The ADR may be wrapped into a SOAP message or sent as plain HTTP request body. It returns an XACML 2.0 compliant Authorization Decision, again wrapped into a SOAP message or as plain HTTP response body, according to the encoding used for the request. For this testbed, the con terra PDP is only available to dedicated source IP addresses.

5.4.2 GEOAxIS con terra PEP – Secure Dimensions PDP communication protocol

The Secure Dimensions PDP accepts XACML 2.0 compliant Authorization Decision Requests ADR using HTTP POST. After processing the ADR, it returns a XACML 2.0 compliant Authorization Decision AD. The structure of the ADR is defined by the XACML 2.0 schema element RequestType and the structure of the AD is defined by the ResponeType, both defined in the namspace URI urn:oasis:names:tc:xacml:2.0:context:schema:os. In terms of protection, each PDP prodivded by Secure Dimensions can only be accessed via a cleared IP address. A request from any other IP address will receive a HTTP 403 „Forbidden“ status. So in order for GEOAxIS and con terra to leverage the provided PDP, the PEP’s outbound IP address must be known.

5.4.3 PAP communication protocol

According to the flow of communication, all PDPs load the policy from the Policy Administration Point. It is therefore required that the PAP provides a web service alike interface in addition to the policy creation and maintenance GUI that can be accessed using login username ows9 and password ogcows9 The PAP service interface for obtaining a policy is not protected. The following service endpoint URL is available http:ows9.secure‐dimensions.orgcgi‐binPAP The Web Service interface can be executed via HTTPGet using Key‐Value‐Pair encoding to shape the request. Currently, this interface can be executed using the following parameters keys: ฀ PolicySetId=value tasks the PAP to return the policy where the attribute “PolicySetId” equals value. The root element of the returned policy is a PolicySet element ฀ PolicyId=value tasks the PAP to return the policy where the attribute “PolicyId” equals value. The root element of the returned policy is Policy element. Copyright © 2013 Open Geospatial Consortium 8 Figure 5 — Interaction with the PAP’s Web Service Interface

5.5 Communication between components