Presented to: TIM Participants By: Dominic (Bud) Timoteo Date: May 4, 2011 Federal Aviation Administration SWIM Laboratory Update Demonstrations and Prototypes

Presented to: TIM Participants

By: Dominic (Bud) Timoteo

Date: May 4, 2011

Federal AviationAdministration

SWIM Laboratory Update

Demonstrations and Prototypes TIM 7

2Federal AviationAdministration

SWIM Laboratory UpdateDemonstrations and Prototypes TIM 7 - May 4, 2011

SIF(SWIM Integration

Facility)

SPF(SWIM Prototype

Facility)

SWIM Laboratory

• Consists of 2 facilities:



SWIM Integration Facility

• SWIM COTS Products Repository• SWIM COTS & FOSS Working Group• NAS Services Registry Repository (NSRR)• Other:

– SWIM Wiki– Security & Vulnerability Analysis of SWIM Products– Support Segment 2 User prototypes

SIF(SWIM Integration

Facility)

SPF(SWIM Prototype

Facility)



Product Inventory – FunctionalSWIM Products Open Source Software Proprietary Software

WS Stack Fuse Services Framework* Artix ESB

SC Enterprise Integration Patterns (EIP) Fuse Mediation Router*Fuse ESB*

Message Oriented Middleware (MOM) Fuse Message Broker*

Enterprise Service Bus (ESB) Fuse ESB*

System Management Subsystem (SMS) Fuse HQ*,Artix Enterprise Management Plug-in

Information Grid Data eXtend Semantic Integrator (DXSI)

COTS Product Repository Nexus

OSGI runtime endpoint management ARTIX Reg/Rep (Depot)

Registry/Repository HP-soa-systinet-eclipse-plugin

HP-soa-systinet-visual-studio-plugin

HP SOA SystinetHP SOA Registry

Security Artix Connect for WCF,Artix Security

Development Tools/Environment Eclipse, Ant, Maven Fuse Integration Designer

SOA Test Tools soapUI,Actional Diagnostics

iTKO Lisa*,

Actional Team Server*

• Available from COTS Repository (https://swimrepo.faa.gov)• Available on SWIM ftp (ftp://swimftp.tc.faa.gov)

* Products being used by SIPs



SWIM COTS & FOSS Working Group• WG is the vehicle to:

– Select Fuse product versions that SWIM supports

– Facilitate Fuse issue info exchange & resolution

– Decide need for Fuse improvements– Disseminate product info and track SIP use

of SWIM products• Facilitate monthly meetings• Generate and Maintain:

– SWIM FUSE Issue Tracker (weekly updates to SWIM wiki)

– SWIM COTS Products Status Report (monthly)

– COTS Products Management Plan (annually)

System Wide Information Management (SWIM)

Commercial Off The Shelf and Open Source Products Status Report

April 27, 2011





NAS Services Registry Repository

• Administer & Maintain HP SOA Systinet Application

• Support users• User documentation

– Publishers Guide– Consumers Guide– Administrators Guide

• Work with SWIM Governance to assure NSRR compliant with SWIM policies



NSRR

The NAS Services Registry Repository provides a wide range of functionality



SWIM Service Lifecycle Management

The SWIM Registry/Repository accommodates a custom lifecycle management process

Proposed Definition Development Verification Production Deprecated Retiredap

prov

al

promotion

appr

oval

appr

oval

appr

oval

appr

oval

appr

oval

promotion promotion promotion promotion promotion

appr

oval

Working

Complete(Approved)



SWIM Registry Service CreationBusinessService

PropertiesData Model Attributes

TaxonomiesClassifications

ContactsOrganization Unit, Person

DocumentsWSDD, IRD

ImplementationWSDL

Depends OnBusiness Service, Business Process, Application, BPEL Process

Consists OfBusiness Service

RegistriesUDDI Containers

Service Level ObjectivesService Level Agreement

The SWIM Registry/Repository business service consists of many artifacts



11

Other Implementation Tasks• Administer & Maintain SWIM Wiki

• Security & Vulnerability Analysis of SWIM Products using Veracode – initial trial scan of Fuse Message Broker executable

• Work with SWIM Test & COTSWG & AWG to add SIP-related tests to FUSE verification activity

• Support Segment 2 User prototypes (AIM Common Status and Structure Data Program)

• Provide facility for SWIM Test



SWIM Prototype Facility



SWIM Security Reference Implementation (SSRI)

• Demonstrate securing Web Services at multiple levels– Transport (securing communication)– Endpoint (securing access to service)– Message (provide integrity, non-repudiation, etc. )– Business Logic (ex: restricted access to service operation)– Data (securing data, meta-data)

• Demonstrate integration with enterprise level components and appropriate technologies– Authentication & Authorization (LDAP, X.509 certificates,

SAML)– Key management (PKI, X.509 certificates)– Java Authentication & Authorization Service (JAAS)– Spring Security

• Provide secure Web Service example (code, configurations), client, and example components



oAuth Prototype• Single Sign On / UI

– Evaluate use of OAuth 2.0 for common login infrastructure (contrast with SAML, etc) for applications that reside within the NAS

• Messaging– Evaluate use of ‘two-legged’ OAuth for message level security

(REST only)– Evaluate interplay with WS-Security, ‘boundary-crossings’

• Common (SSO + Messaging)– Develop/adopt standard format for user attribute exchange

(e.g., openid connect) – Evaluate OAuth-based representation of NAS internal attribute

authority



Recent Work• Segment 2 Prototypes

– SWIM Security Reference Implementation• Updated to include FUSE ESB 4.2• Implemented Binary Security Token (BST) security profile• Implemented Username Token security profile• Implemented Transport Layer Security (TLS)• Updated Build Guide documentation

– oAuth Prototypes• Completed Sprint 1 and 2• Design/Develop screens to set up target applications• Design/Develop user registration screens



Messaging Prototype

• Pub/Sub & Send/Receive Semantics• Reliable Messaging• Enterprise Routing

– Content-based Routing

• Message Mediation• Message Transport• Message Security

– Service and Destination Authorization– Message-Level Integrity and Confidentiality



Recent Work

• Messaging Prototype– Prototype Plan– Implement JMS broker network– Implement SAN-based clustering and persistence– Implement simulated SIP clients– Document broker cluster and network configuration



Recent Work

• IKM – XML Gateway Requirements – XML Gateway

• Mutual TLS configuration for incoming connections using self-signed certificates

• Authentication of incoming messages via Username Token• Authentication of incoming messages via Binary Security

Token• Authentication of incoming messages via SAML

Authentication• Insertion of SAML AuthN Assertions into outgoing

messages – Developed draft IKM Requirements– Developed rough draft of IKM CONOPs



Conformance Test Kit – (CTK)• Measure and report on conformance against:

– The four security profiles defined in SWIM WS-Security Specification

– WS-I Basic Security Profile

• Measure conformance across a set of test scenarios

• Support stateful evaluation of messages– Recognize replay scenarios– Evaluate the response in the context of the request

• Allow the CTK to participate both actively and passively – As a web-service proxy– As a web service provider – As a web service client – As a web service intermediary



Future - Security Prototype for Segment 2

• Prototype combination of:– DNS – Seg 1+– NTP – Seg 1+– IKM – Seg 2, phase 1– SWIM Enterprise Messaging System (a.k.a. DEX) –

Seg 2, phase 1

• In planning stages– Drafted plan– Setting up lab connectivity with FTI