A Guide to Secure Web Services with GJXML by guy21

VIEWS: 139 PAGES: 16

									                        A Guide to Secure Web
                          Services with GJXML
              Hey I
           downloade
           d an IEPD!


                            Cool, how do you
                              write a web
                                service?



 Moo! I
use Java
                          I use
                          .NET
                                                  Service-Oriented Architecture
               The WIJIS Justice Gateway: A single, secure
               point of read-only access to disparate state
               and local justice information resources.

Local Law Enforcement
Records Management Systems

          1)   Publish pointers from RMS
                to Gateway Cache
                                                            2) End Users Search Cache,
                                                   WIJIS     Request Incident Report
                 3) Gateway requests Incident
                                                  Justice
                       Report from RMS            Gateway
                                                            5) Gateway displays
                                                              Incident Report
                 4) RMS returns Incident Report
                                                  WIJIS
WIJIS Developer Guide
 Service providers should be mapping data to
 GJXML, not bogged down in implementation
 details
 Provide
   example WSDL – Contract First!
   Server and client implementation in multiple languages
   compile schema into objects
   XSLT
   http://www.wijiscommons.org/gjxdm_example/
                                                      WIJIS
Incident Report IEPD – The Homer Simpson
  Case Study
  IEPD can be downloaded here:
   http://www.search.org/programs/info/xml-iep.asp

 Let’s take a look, we see…
  Instance Examples
  Document and constraint schemas

 Doh, Now what?
                                                                WIJIS
DOT NET 2.0 Instructions
 Generate C# Objects from WSDL with this
 command:
   wsdl.exe /server
    http://wijis.wisconsin.gov/wsdl/RecordRetrievalServiceWithIEPD.wsdl

Create .NET Web Service and add references

Example C# files and instructions here:
 http://www.wijiscommons.org/gjxdm_example/#dotNet
                                                       WIJIS
Testing the Service – The Python Way
 Create a sample invocation file
 Run the sample python script
  Script can be run over http, https or
  https w/ client certificates

 Keep the test client simple!
 Examples available here:
  http://www.wijiscommons.org/gjxdm_example/#client
                                                      WIJIS
Java Instructions - Overview
  Generate Jar File from WSDL using Jaxb
  Download sample Record Retrieval Service
  Project for Eclipse
  WIJIS provides Ant tasks in project
  Full details at:
   http://www.wijiscommons.org/gjxdm_example/#java
                                                     WIJIS
Make your XML look Pretty - XSLT
 WIJIS Gateway invokes services, then:
  WIJIS Needed to transform results
  End users are not machines but humans
  Distributing XSLT helps service providers
inspect Incident Reports before publishing
 Instance and transformed documents here
  http://www.wijiscommons.org/gjxdm_example/#xslt
                                      WIJIS
WIJIS – Security Overview
 Incident Report request conducted over
 HTTPS with X509 Client Certificates
 Layer 3 IP Address filtering
 WIJIS runs our own certificate authority
 Authorization granted based on name in
certificate
                                       WIJIS
WIJIS – 4 Security Tests
 Certificate signed by WIJIS Certificate
 Authority
 Certificate is not expired
 Name in Certificate matches name on wire
 Certificate has been revoked
                                                          WIJIS
X509 Certificate Request Process
  Client creates a private key
    openssl genrsa -out MyPrivateKey.key 1024
  Using private key, client creates a Certificate
Signing Request (CSR)
   openssl req -new -nodes -key MyPrivateKey.key -out MyCSR.csr

 CSR sent to CA and signed certificate is returned
 Signed certificate can be joined with Private Key
   openssl pkcs12 -export -in MyCertificate.pem -inkey
   MyPrivateKey.key -out MyPFXFile.pfx
                                          WIJIS
X509 Certificate Tools
 OpenSSL
  useful for both .NET and Java users.
 Keytool
  useful only for Java users
 Microsoft CertUtil – Not really useful for
 anyone
                                                       WIJIS
Example Server Configurations with SSL and
  Client Certificates
  IIS 6.0
  Step by Step available at:
   http://www.wijiscommons.org/gjxdm_example/#dotNet

 Apache Tomcat 5.5
  Step by Step available at:
   http://www.wijiscommons.org/gjxdm_example/#java
                                           WIJIS
IEPD Distribution Suggestions
  In addition to Instance Examples, include
  Example WSDL
  Auto-generated C# files and Jar Files (JaxB)
  Sample Implementations and test client
  XSLT with sample HTML output
                                              WIJIS
Developer Guide – Return on Investment
  Lowers the barriers to secure web services using
  GJXML
 Re-use of code saves developer time for
agencies/vendors and stretches grant $$
  Vendors integrate with WIJIS once and can
distribute to all customers
 Prior to Guide: 0 Services, now 7 vendors, over
73 agencies in 8 months
                                 Links

wijiscommons.org/gjxdm_example – wijis
  developer guide
oja.wi.gov/wijis – WIJIS Web Page
wijisgateway.org – WIJIS Blog

                Contact Info
   James.pingel@wisconsin.gov
   Yogesh.chawla@wisconsin.gov

								
To top