160 likes | 218 Views
SWIM Web Service Security Conformance Test Kit (CTK). What is CTK?.
E N D
What is CTK? • The CTK is a testing tool that can be used to gauge that a message sender and/or message recipient meets the Web Service security requirements mandated by SWIM policy and described in the “SWIM Web Service Security Specification.” • These policies have been created to: • simplify the integration and management of services in the NAS, • increase the flexibility of the NAS system-of-systems architecture, and • enable consistent approaches to service security and management. • Prototype for SWIM Segment 2
SWIM Service Lifecycle Stages CTK WHY, WHEN, WHERE & HOW • WHY? To test for Service & Client compliance with any SWIM Web Service Security profile specified in the SWIM Web Service Security Specification so potential problems in security implementations are identified and resolved as soon as possible • WHEN? During the National Airspace System Service Registry/Repository (NSRR) Development lifecycle stage • WHERE? To be run by the developers at their site against their developed Web Service • HOW? Attach/Upload generated compliance report to NSRR for approval by SWIM Governance Note: Actional Team Server is run during the NSRR Verification lifecycle stage to check for SWIM Web Service-Interoperability (WS-I) Profile compliance.
CTK - Goals And Key Concepts • Provide capabilities to validate Web Services security profiles according to SWIM Web Service Security Specification • Transport Level Security (TLS) • WS-Security Username Token (UT) • WS-Security Binary Security Token (BST) • Security Assertion Markup Language Token (SAML) • Provide capabilities to demonstrate application and enforcement of SWIM security policies • Using WSDL that includes WS-Policy attachments • Creating validation report • Including positive/negative test suites • Provide capabilities to validate 3rd party service providers • Security Token Service (STS)
CTK – Testing Contexts Summary • Multiple testing contexts (8) • Implemented on FUSE ESB 4.2, using FUSE Services Framework and FUSE Mediation Router
Driver • 3rd Party Service connected to CTK-Client
Client-Server over HTTPS using BST • Purpose: validate both client and server • SWIM WSS Profile: BST • Client and server protocol: HTTPS • Setup / Configuration: • Direct Proxy Context • CTK Harness: Proxy • CTK Test Suite; BST • Result • 51 exchanges with expected pass/failure
REPORT: Test Result Summary: Client-Server over HTTPS using BST