Case Study:The British Columbia Attorney General implementation of Web Services Security
Toufic Boubez, Ph.D.Chief Technology OfficerLayer 7 Technologies
© Toufic Boubez - Layer 7 Technologies
Speaker Introduction
Current: Layer 7 Founder and Chief Technology Officer. Co-Author: WS-Trust, WS-SecureConversation. Co-Editor: W3C WS-Policy Working Group OASIS WS-RM TC, WS-SX TC Books: Building Web Services with Java (12/2001), Java P2P
Unleashed (8/2002). Background:
IBM Lead Architect for Web Services. IBM Lead Architect for Web Services Toolkit. Co-Author of UDDI V1 specification. Technical Chair/Track Chair for the XML Web Services One
Conferences. OASIS WS-Security TC, UDDI TC, SAML TC, WS-I Sample
Apps WG IBM technical lead for UN/OASIS ebXML.
© Toufic Boubez - Layer 7 Technologies
BC Ministry ofAttorney General
Goal: to maintain and enhance public safety in every community across the Province of British Columbia.
The BCAG has a constitutional and statutory role as the BC Government's lawyer, providing legal advice, representing the Provincial Government in litigation, and drafting legislation.
Main Services: Court Services Justice Services Correction Services Crown Services
Collaboration among key partners like the police, judiciary, defense counsel, and other ministries is vital to the effective and efficient delivery of services to the public.
However, separation (arms length) between government and judiciary is crucial.
© Toufic Boubez - Layer 7 Technologies
BCAG Business Drivers
© Toufic Boubez - Layer 7 Technologies
BCAG Business Drivers (cont)
© Toufic Boubez - Layer 7 Technologies
Enterprise Architecture: Current
© Toufic Boubez - Layer 7 Technologies
Enterprise Architecture: Target
© Toufic Boubez - Layer 7 Technologies
Enterprise Architecture -Justice Sector
`
CEIS
`
JUSTIN
`
PAC
`
CORNET
Services Container
`
CSO
Justice Sector Enterprise Service Bus
DirectoryServices
Shared Services:· Security,· Audit Logs,· Work Flow
`
Shared ServicesMgmt
`
Crown Apps
ServicesMgr.
ServicesMgr.
· Orchestration Services· XML Services· Custom Shared Services· Collaboration Services· Security Services· Privacy Enforcement· Interoperability Services
JUSTINCEIS CSO CORNETiPHYS
Database Adapter
`
Court ServicesApps
`
Cor-i
ServicesMgr.
AppServer
AppServer
AppServer
AppServer
AppServer
Content, FormsRespository
BC Prime
Court Services
Crown Services
CorrectionsServices
`
Justice ServicesApps
IntelligenceRespository
LegacyApplications
ESBAdministration
CAS
CHIPS
ICBC
Portal
PIP
`
ARC
ARC
AppServer
Customers
· CORNET· Forms Services· Search Services· Client Kiosk
· Law Library Services· Forms Services· Search Services
· Forms Services· Search Services· Client Kiosk
JusticeServices
ServicesMgr.
· Schedules· Search Services
SCMS
InitialIntegration
project
© Toufic Boubez - Layer 7 Technologies
Data-Sensitive Protected Services
JUSTIN: Integrated Justice System for criminal cases
registry. A large cluster of Oracle databases, stores
extremely confidential information related to BC court proceedings.
Includes information such as criminal records, adoption records, etc.
CEIS: Similar to JUSTIN but for civil cases registry.
CSO: Court Services Online. Searches Court of Appeals for filings.
© Toufic Boubez - Layer 7 Technologies
Web Services Clients
CSO clients CEIS clients WebCATS:
Web-based interface to the Court of Appeals Tracking System.
Allows the tracking of cases and the scheduling of hearings.
CVSE: Commercial Vehicle Safety Enforcement. Hosted mobile application in Ministry of Transport for
inspection vehicles and weigh stations. Public kiosks and Web based portals. Other clients being developed at other ministries
such as Ministry of Transport, etc.
© Toufic Boubez - Layer 7 Technologies
Security and Availability Constraints
Constraints: High Security Zone – For security reasons, NO DIRECT external
connections to JUSTIN or CSO are to be allowed. SQLNET only connection from HSZ to Medium Security Zone. Other distributed applications and portals require data from
JUSTIN or CSO. Tiered access control: different privileges to different user
profiles (e.g. general public, public defenders, prosecutors, court clerks, etc)
Solution: Access to secure applications and databases residing in HSZ is
wrapped in Web services layer at the MSZ. Use WS-Security for credentials and confidentiality. Use Layer 7 Web Services Gateways as Policy Enforcement
Points between MSZ and client applications. User Layer 7 XML VPNs for client-side WS-Security proxies.
© Toufic Boubez - Layer 7 Technologies
Solution Deployment
High Security
Zone
JUSTIN CSO CEIS
Chief Justice Bridge
Rota
Internet
Web Portal
Court of Appeals
SSG/Bridge
WEB-CATS
Telus Bridge CVSE
SOAP/WS-Security
Medium Security
Zone
Web Services
Gateways
Web Services App Servers
SQLNET
© Toufic Boubez - Layer 7 Technologies
Real World Issues
Original testing/pilot deployment did not involve security.
Next phase involved HTTP Basic-Auth credentials
Final phase involves WS-Security UTP; X.509TP: Additional encryption and signing for some
highly sensitive requests. Major problem is how to move from one
phase to another: Changing client and service policies; Key distribution and management; Testing.
© Toufic Boubez - Layer 7 Technologies
SAML Extension PoC
Next pilot extension for internal BC Government portal users: Will leverage attributes to determine
entitlements and access levels; Will use SAML as token issued by
Security Token Service; Authentication based on BCeID IAM Will re-use same Web services deployed
in the previous phases, leveraging and building on the existing infrastructure (which was one of the original goals);
© Toufic Boubez - Layer 7 Technologies
SAML Extension PoC
Chief Justice Bridge
Rota
Internet
Web Portal
Court of Appeals
SSG/Bridge
WEB-CATS
Telus Bridge CVSE
High Security
Zone
Medium Security
Zone
Web Services
Gateways
JUSTIN CSO CEIS
Web Services App Servers
SOAP/WS-Security
Government Portal
Secure Zone
STS
Licensing site
Licensing site
Licensing site
BCeID
© Toufic Boubez - Layer 7 Technologies
Thanks!
Thank you very much for making it through!
I will answer questions now. Email additional questions or
comments or presentation requests to: [email protected]