1 / 16

SWIM Web Service Security Conformance Test Kit (CTK)

SWIM Web Service Security Conformance Test Kit (CTK). What is CTK?.

Download Presentation

SWIM Web Service Security Conformance Test Kit (CTK)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SWIM Web Service Security Conformance Test Kit (CTK)

  2. What is CTK? • The CTK is a testing tool that can be used to gauge that a message sender and/or message recipient meets the Web Service security requirements mandated by SWIM policy and described in the “SWIM Web Service Security Specification.” • These policies have been created to: • simplify the integration and management of services in the NAS, • increase the flexibility of the NAS system-of-systems architecture, and • enable consistent approaches to service security and management. • Prototype for SWIM Segment 2

  3. SWIM Service Lifecycle Stages CTK WHY, WHEN, WHERE & HOW • WHY? To test for Service & Client compliance with any SWIM Web Service Security profile specified in the SWIM Web Service Security Specification so potential problems in security implementations are identified and resolved as soon as possible • WHEN? During the National Airspace System Service Registry/Repository (NSRR) Development lifecycle stage • WHERE? To be run by the developers at their site against their developed Web Service • HOW? Attach/Upload generated compliance report to NSRR for approval by SWIM Governance Note: Actional Team Server is run during the NSRR Verification lifecycle stage to check for SWIM Web Service-Interoperability (WS-I) Profile compliance.

  4. CTK - Goals And Key Concepts • Provide capabilities to validate Web Services security profiles according to SWIM Web Service Security Specification • Transport Level Security (TLS) • WS-Security Username Token (UT) • WS-Security Binary Security Token (BST) • Security Assertion Markup Language Token (SAML) • Provide capabilities to demonstrate application and enforcement of SWIM security policies • Using WSDL that includes WS-Policy attachments • Creating validation report • Including positive/negative test suites • Provide capabilities to validate 3rd party service providers • Security Token Service (STS)

  5. SWIM SECURITY PROFILES

  6. SECURITY PROFILE APPLICATION MATRIX

  7. CTK – Testing Contexts Summary • Multiple testing contexts (8) • Implemented on FUSE ESB 4.2, using FUSE Services Framework and FUSE Mediation Router

  8. Driver • 3rd Party Service connected to CTK-Client

  9. Client-Server over HTTPS using BST • Purpose: validate both client and server • SWIM WSS Profile: BST • Client and server protocol: HTTPS • Setup / Configuration: • Direct Proxy Context • CTK Harness: Proxy • CTK Test Suite; BST • Result • 51 exchanges with expected pass/failure

  10. REPORT: Test Result Summary: Client-Server over HTTPS using BST

  11. REPORT: Test Suite Results Summary

  12. REPORT: Message Exchange PASS Results

  13. REPORT: Message Exchange FAIL Results

  14. REPORT: Request PASS Result

  15. REPORT: Request FAIL Result

  16. REPORT: Message

More Related