Skip to content
Permalink
Browse files

PBLEID-10565. WS-security - ufullstendig

  • Loading branch information...
oyri committed Dec 15, 2015
1 parent 87cc8b5 commit 33af7695dcc75a83c0e058511327cf22ac08164d
Showing with 115 additions and 0 deletions.
  1. +1 −0 index.textile
  2. +114 −0 ws-security/WebserviceSecurity.textile
@@ -18,6 +18,7 @@ h3. Tjenestespesifikasjonen:
* "XSD definisjon":xsd/oppslagstjeneste-ws-14-05.xsd
* "XSD metadata":xsd/oppslagstjeneste-metadata-14-05.xsd
* "XSD definisjon for fil eksport":xsd/kontaktregister-export-14-05.xsd
* "Web Service Security header":ws-security/WebserviceSecurity.textile

h3. Datamodell:

@@ -0,0 +1,114 @@
---
layout: default
title: Webservice sikkerhet
headtitle: Oppslagstjenesten
group: transportlag

id: Transportlag/WebserviceSecurity

next: Feilhåndtering


---

h2. {{page.title}}



h3. Webservice security headere

Webservice security header består av følgende elementer:

table(table table-striped).
|_. Identifikator |_. Kardinalitet |_. Datatype |
| BinarySecurityToken | 1..1 | "wsse:BinarySecurityToken":http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-errata-os-SOAPMessageSecurity.htm#_Toc118717134 |
| Timestamp | 1..1 | "wsu:Timestamp":https://www.oasis-open.org/committees/download.php/21256/wss-v1.1-spec-errata-os-SOAPMessageSecurity.htm#_Toc118717167 |
| Signature | 1..1 | "ds:Signature":https://www.oasis-open.org/committees/download.php/21256/wss-v1.1-spec-errata-os-SOAPMessageSecurity.htm#_Toc118717148 |

Meldingen er kun signert på SOAP nivå, ikke kryptert.

h3. Timestamp

* Time-to-live skal være 120 sekunder

På grunn av den korte Time-to-live så kreves det at alle aktører har servere med klokker synkronisert med "NTP":http://www.ntp.org/.

h3. BinarySecurityToken

* Sertifikat for validering av signatur skal inkluderes i SOAP header
* Security Token være X509 sertifikater
* Sertifikatet som brukes skal være et virksomhetssertifikat
** sertifikatet skal være utstedt til behandlingsansvarlig eller databehandler.
** I testmiljøet brukes test-virksomhetssertifikat utstedt fra samme leverandører som i produksjon

h3. Signature

* Signeringsalgoritmen skal være "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256":http://www.w3.org/2001/04/xmldsig-more#rsa-sha256.
* Fingeravtrykksalgoritmen i referansene skal være "http://www.w3.org/2001/04/xmlenc#sha256":http://www.w3.org/2001/04/xmlenc#sha256

Følgende elementer i SOAP meldingen signeres:

* Timestamp
* Soap body



h3. eksempel

Under kan er det lagt opp en et eksempel på en gyldig Webservice security header generert fra java klient biblioteket for sending av digital post:

<pre class="brush: xml; toolbar: false">
<env:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
env:mustUnderstand="true">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-91E8B93BDD15EF51281450186010507155">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#TS-91E8B93BDD15EF51281450186010506150">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="wsse env"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>zSCH29Xx5af2hgqVciSA0VettSo=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#id-91E8B93BDD15EF51281450186010506154">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList=""/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>OH1VQPQXJVOq/nYPvb9WK3gXstA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
KQs6DCARRU3+fIaGisvf+ignKxugwsN+1bEHkDCDzvZ34UtE3QKJEUnG6INPXJ9fuwBc/P0NoctgtZsuG5lFMKAV/swqK0W77AdzEMrh/ZcFI67+nWf5UMErrCSqqIOA4eZLBcUO4oqi9uwvXCsLGA/+dmMUhpcVIMXnq90vz5ViVSqt49t3QiLcdGriTtHPUKX+ob0xlppROElEhsgk0iLSH/YDKkgmTfkKn9qQFzW8XI4XkMz3SIy/k6UjSt6CoKwNpqwtL6QIE445p3Q7hPCw45mC4l05FYJwnGcxGHZrrZNjBBmrEz3z8LELfar4Lz1ZTAMPPkccwC6wnbJyFA==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-91E8B93BDD15EF51281450186010506152">
<wsse:SecurityTokenReference wsu:Id="STR-91E8B93BDD15EF51281450186010506153">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
SERTIFIKAT-VERDI
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-91E8B93BDD15EF51281450186010506150">
<wsu:Created>2015-12-15T13:26:50.506Z</wsu:Created>
<wsu:Expires>2015-12-15T13:31:50.506Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
<DifiSecurity xmlns="http://kontaktinfo.difi.no/wsdl/oppslagstjeneste-16-02">
<OnBehalfOf>991825827</OnBehalfOf>
</DifiSecurity>
</env:Header>
</pre>

0 comments on commit 33af769

Please sign in to comment.
You can’t perform that action at this time.