Security Status December 2006


  • Web service interface working between WebSphere and Python using WS-Security
    • Uses WS-Security digital signature
    • confidentiality using SSL - easier than getting WS-Security encryption working between WebSphere and python
    • Although the WS-Security standard is established the tooling has not reached full maturity. With WebSphere, you can do most of what you want but it is a subset of the full standard.
  • Carried out a major update of python web services from ZSI version 1.6 to 2.0 rc3. This includes using doc/literal wrapped style WSDL. Also, now using Twisted resource framework for python web server.
  • Python MyProxy client complete barring integration and completion of unit tests.
  • Eggifying security: separated security into client and server packages which can be deployed separately. Still some way from completion and there are problems eggifying some packages notably Twisted.


  • Securing http redirects. (See ticket #366). This is out of scope for the DEWS project because login is only required from one portal but it needs to be addressed for NDG.
  • NDG site installations at BODC, NOCS, BADC and PML. All are part complete with post Alpha versions of security software. It could be better to wait for the beta version of the software which will include all the enhancements described above.

DEWS Security Critical Path (applicable to NDG also)

This is a summary of the remaining tasks for completion of NDG security for DEWS and amounts to around two months effort.

  1. WS-Security WebSphere - Python interface (Done)
  2. DEWS: Securing Geoserver. While we expect this work to be done at the MetOffice (in cooperation with ESSC), we expect to be providing consultancy on the token signature evaluation etc and coordinating the work
  3. Update security WS interfaces for Session Manager, Attribute Authority and Simple CA. NB: Session Manager interface is complete, Attribute Authority and SimpleCA code is part complete.
    1. re-write of rpc encoded WSDLs to wrapped/doc/literal style
    2. move previous ZSI 1.6 based code to ZSI 2.0 rc3
    3. remove custom pyXMLSec based message security and replace with new WS-Security handler
  4. Refactor pyXMLSec digital signature. This is used in for signing WS messages but ALSO for signing Attribute Certificates. Attribute Certificates are signed using an enveloped signature independently of being sent over the wire via a WS. Two alternatives - Option 1) is preferred to ensure independence of transport layer:
    1. Refactor signature code removing pyXMLSec code and replacing with new signature code as used with WS-Security signature handler
    2. Dispense with enveloped signature for Attribute Certificates and rely on signature applied by WS-Security handler at the point of message dispatch
  5. MyProxy pure python client. Python code to connect to myproxy-server over SSL using M2Crypto and implement the various commands needed as methods of a python client class: myproxy-logon, myproxy-store (add credential to the repository), myproxy-destroy (removes a credential from repository). Current status:
    1. all complete bar integration and unit tests.
    2. logon method requires a patch to M2Crypto. This needs to be submitted to the M2Crypto developers.
  6. Oracle Attribute Authority interface for the Python Attribute Authority (to be based on code developed within NDG at BODC).
    1. Take Siva's code used for BODC Oracle interface and use for LostWax Attribute Authority
  7. Install Security at the MetOffice and LostWax (and possible ESSC too). Go to sites to install or revise installation guide so that it can be done unsupervised.
    1. MetOffice - install Attribute Authority. (Note that no MyProxy is needed for DEWS at this stage).
    2. LostWax - install Attribute Authority, Session Manager and MyProxy. LostWax have a target machine running Redhat available.
    3. Establish what will happen at ESSC.
  8. Eggify security. Current status: security code is now separated into server, client, common and unit test packages. Ideally all the code components needed by clients (user clients and application clients) should be in easy to install packages. As many server components as possible should also be eggified, but it is recognised that until Twisted is eggified this may not be that useful. (5 days, 33 total).
    1. Complete script for each package and overall to create individual eggs for client and server and overall egg to create whole bundle
    2. Add scripting to create configuration files and installation location for the
    3. Scripting to create security scripts for security bin directory (there's a standard egg way of doing this)
  9. DEWS Auditing and Logging. Security will need to interact with the Lost Wax logging service. Note that this can be done after delivery of the security package and done as an update.
  10. Interface with LostWax logging service
  11. Remaining documentation for DEWS auditing logging workpackage