Case Study: The British Columbia Attorney General implementation of Web Services Security Toufic...

Case Study:The British Columbia Attorney General implementation of Web Services Security

Toufic Boubez, Ph.D.Chief Technology OfficerLayer 7 Technologies

[email protected]

© Toufic Boubez - Layer 7 Technologies

Speaker Introduction

Current: Layer 7 Founder and Chief Technology Officer. Co-Author: WS-Trust, WS-SecureConversation. Co-Editor: W3C WS-Policy Working Group OASIS WS-RM TC, WS-SX TC Books: Building Web Services with Java (12/2001), Java P2P

Unleashed (8/2002). Background:

IBM Lead Architect for Web Services. IBM Lead Architect for Web Services Toolkit. Co-Author of UDDI V1 specification. Technical Chair/Track Chair for the XML Web Services One

Conferences. OASIS WS-Security TC, UDDI TC, SAML TC, WS-I Sample

Apps WG IBM technical lead for UN/OASIS ebXML.


BC Ministry ofAttorney General

Goal: to maintain and enhance public safety in every community across the Province of British Columbia.

The BCAG has a constitutional and statutory role as the BC Government's lawyer, providing legal advice, representing the Provincial Government in litigation, and drafting legislation.

Main Services: Court Services Justice Services Correction Services Crown Services

Collaboration among key partners like the police, judiciary, defense counsel, and other ministries is vital to the effective and efficient delivery of services to the public.

However, separation (arms length) between government and judiciary is crucial.


BCAG Business Drivers


BCAG Business Drivers (cont)


Enterprise Architecture: Current


Enterprise Architecture: Target


Enterprise Architecture -Justice Sector

`

CEIS

`

JUSTIN

`

PAC

`

CORNET

Services Container

`

CSO

Justice Sector Enterprise Service Bus

DirectoryServices

Shared Services:· Security,· Audit Logs,· Work Flow

`

Shared ServicesMgmt

`

Crown Apps

ServicesMgr.

ServicesMgr.

· Orchestration Services· XML Services· Custom Shared Services· Collaboration Services· Security Services· Privacy Enforcement· Interoperability Services

JUSTINCEIS CSO CORNETiPHYS

Database Adapter

`

Court ServicesApps

`

Cor-i

ServicesMgr.

AppServer

AppServer

AppServer

AppServer

AppServer

Content, FormsRespository

BC Prime

Court Services

Crown Services

CorrectionsServices

`

Justice ServicesApps

IntelligenceRespository

LegacyApplications

ESBAdministration

CAS

CHIPS

ICBC

Portal

PIP

`

ARC

ARC

AppServer

Customers

· CORNET· Forms Services· Search Services· Client Kiosk

· Law Library Services· Forms Services· Search Services

· Forms Services· Search Services· Client Kiosk

JusticeServices

ServicesMgr.

· Schedules· Search Services

SCMS

InitialIntegration

project


Data-Sensitive Protected Services

JUSTIN: Integrated Justice System for criminal cases

registry. A large cluster of Oracle databases, stores

extremely confidential information related to BC court proceedings.

Includes information such as criminal records, adoption records, etc.

CEIS: Similar to JUSTIN but for civil cases registry.

CSO: Court Services Online. Searches Court of Appeals for filings.


Web Services Clients

CSO clients CEIS clients WebCATS:

Web-based interface to the Court of Appeals Tracking System.

Allows the tracking of cases and the scheduling of hearings.

CVSE: Commercial Vehicle Safety Enforcement. Hosted mobile application in Ministry of Transport for

inspection vehicles and weigh stations. Public kiosks and Web based portals. Other clients being developed at other ministries

such as Ministry of Transport, etc.


Security and Availability Constraints

Constraints: High Security Zone – For security reasons, NO DIRECT external

connections to JUSTIN or CSO are to be allowed. SQLNET only connection from HSZ to Medium Security Zone. Other distributed applications and portals require data from

JUSTIN or CSO. Tiered access control: different privileges to different user

profiles (e.g. general public, public defenders, prosecutors, court clerks, etc)

Solution: Access to secure applications and databases residing in HSZ is

wrapped in Web services layer at the MSZ. Use WS-Security for credentials and confidentiality. Use Layer 7 Web Services Gateways as Policy Enforcement

Points between MSZ and client applications. User Layer 7 XML VPNs for client-side WS-Security proxies.


Solution Deployment

High Security

Zone

JUSTIN CSO CEIS

Chief Justice Bridge

Rota

Internet

Web Portal

Court of Appeals

SSG/Bridge

WEB-CATS

Telus Bridge CVSE

SOAP/WS-Security

Medium Security

Zone

Web Services

Gateways

Web Services App Servers

SQLNET


Real World Issues

Original testing/pilot deployment did not involve security.

Next phase involved HTTP Basic-Auth credentials

Final phase involves WS-Security UTP; X.509TP: Additional encryption and signing for some

highly sensitive requests. Major problem is how to move from one

phase to another: Changing client and service policies; Key distribution and management; Testing.


SAML Extension PoC

Next pilot extension for internal BC Government portal users: Will leverage attributes to determine

entitlements and access levels; Will use SAML as token issued by

Security Token Service; Authentication based on BCeID IAM Will re-use same Web services deployed

in the previous phases, leveraging and building on the existing infrastructure (which was one of the original goals);


SAML Extension PoC

Chief Justice Bridge

Rota

Internet

Web Portal

Court of Appeals

SSG/Bridge

WEB-CATS

Telus Bridge CVSE

High Security

Zone

Medium Security

Zone

Web Services

Gateways

JUSTIN CSO CEIS

Web Services App Servers

SOAP/WS-Security

Government Portal

Secure Zone

STS

Licensing site

Licensing site

Licensing site

BCeID


Thanks!

Thank you very much for making it through!

I will answer questions now. Email additional questions or

comments or presentation requests to: [email protected]

Case Study: The British Columbia Attorney General implementation of Web Services Security Toufic...

Documents

Transcript of Case Study: The British Columbia Attorney General implementation of Web Services Security Toufic...