wiki:TI12_Security/DEWS/SeaInfoAccess2GADS-WCSUseCase

Use Case: BMT SeaInfo access to GADS-WCS

Description

The steps required for SeaInfo to access GADS-WCS data.

Actors

  • BMT SeaInfo application client
  • Marine Stream Geoserver (GADS-WCS) Gatekeeper
  • Marine Stream Geoserver (GADS-WCS)
  • Marine Stream Attribute Authority - MarineAA (deployed at ESSC)

Assumptions

  • Gatekeeper port is exposed outside host site firewall.
  • Geoserver port is protected within host site firewall.
  • Incoming SOAP messages from the client are secured with WS-Security digital signature.

Triggers

BMT SeaInfo client makes a request to the Gatekeeper for data.

Outcome

Client is granted access to secured Geoserver data.

Normal Course

  1. SeaInfo makes a getAttCert call to the MarineAA Web Service to request an Attribute Certificate. It signs the SOAP message using WS-Security signing it with a private key it holds.
  2. MarineAA receives the request from SeaInfo and verifies the signature of the SOAP message.
  3. MarineAA extracts the Distinguished Name of the SeaInfo certificate associated with the signature and looks up this user in its list of registered users.
  4. MarineAA finds an entry for the user and adds the associated users roles to a new Attribute Certificate.
  5. The MarineAA signs the Attribute Certificate and sends it back a signed SOAP message.
  6. SeaInfo receives the SOAP message and verifies its signature checking it belongs to the MarineAA.
  7. SeaInfo extracts the Attribute Certificate from the message and verifies the signature of the certificate checking it belongs to the MarineAA.
  8. SeaInfo makes a request SOAP message containing the Attribute Certificate and the Geoserver request.
  9. It signs the message using its private key before dispatch to the Gatekeeper.
  10. The Gatekeeper processes the request and returns a response.
  11. SeaInfo polls the Gatekeeper for a response containing the data.