A Guide to Secure A Guide to Secure Web Services with Web Services with

GJXMLGJXML

A Guide to Secure A Guide to Secure Web Services with Web Services with

GJXMLGJXMLHey I download

ed an IEPD!

Cool, how do you write a

web service?

I use .N

ET

Moo! I use

Java

WIJIS

Justice Gateway

The WIJIS Justice Gateway:The WIJIS Justice Gateway: A single, secure point of read-only access to disparate state and local justice information resources.

Local Law EnforcementRecords Management Systems

Service-Oriented Service-Oriented ArchitectureArchitecture

1) Publish pointers from RMS

to Gateway Cache2) End Users Search Cache,

Request Incident Report

3) Gateway requests Incident

Report from RMS

4) RMS returns Incident Report

5) Gateway displays

Incident Report

WIJISWIJISWIJIS Developer Guide

Service providers should be mapping data to GJXML, not bogged down in implementation details

Provide example WSDL – Contract First!Server and client implementation in multiple languagescompile schema into objectsXSLThttp://www.wijiscommons.org/gjxdm_example/

WIJISWIJIS

Incident Report IEPD – The Homer Simpson Case StudyIEPD can be downloaded here: http://www.search.org/programs/info/xml-iep.asp

Doh, Now what?

Let’s take a look, we see… Instance ExamplesDocument and constraint schemas

WIJISWIJIS

DOT NET 2.0 InstructionsGenerate C# Objects from WSDL with this command: wsdl.exe /server

http://wijis.wisconsin.gov/wsdl/RecordRetrievalServiceWithIEPD.wsdl

Create .NET Web Service and add references

Example C# files and instructions here:http://www.wijiscommons.org/gjxdm_example/#dotNet

WIJISWIJIS

Testing the Service – The Python WayCreate a sample invocation file

Run the sample python scriptScript can be run over http, https or https w/ client certificates

Keep the test client simple!

Examples available here:http://www.wijiscommons.org/gjxdm_example/#client

WIJISWIJIS

Java Instructions - OverviewGenerate Jar File from WSDL using JaxbDownload sample Record Retrieval Service Project for EclipseWIJIS provides Ant tasks in projectFull details at: http://www.wijiscommons.org/gjxdm_example/#java

WIJISWIJIS

Make your XML look Pretty - XSLTWIJIS Gateway invokes services, then:WIJIS Needed to transform resultsEnd users are not machines but humans

Distributing XSLT helps service providers inspect Incident Reports before publishingInstance and transformed documents here

http://www.wijiscommons.org/gjxdm_example/#xslt

WIJISWIJIS

WIJIS – Security OverviewIncident Report request conducted over HTTPS with X509 Client Certificates

Layer 3 IP Address filtering

WIJIS runs our own certificate authority

Authorization granted based on name in certificate

WIJISWIJIS

WIJIS – 4 Security TestsCertificate signed by WIJIS Certificate Authority

Certificate is not expired

Name in Certificate matches name on wireCertificate has been revoked

WIJISWIJIS

X509 Certificate Request ProcessClient creates a private keyopenssl genrsa -out MyPrivateKey.key 1024

Using private key, client creates a Certificate Signing Request (CSR)

openssl req -new -nodes -key MyPrivateKey.key -out MyCSR.csr

CSR sent to CA and signed certificate is returnedSigned certificate can be joined with Private Key

openssl pkcs12 -export -in MyCertificate.pem -inkey MyPrivateKey.key -out MyPFXFile.pfx

WIJISWIJIS

X509 Certificate ToolsOpenSSLuseful for both .NET and Java users.

Keytooluseful only for Java users

Microsoft CertUtil – Not really useful for anyone

WIJISWIJIS

Example Server Configurations with SSL and Client CertificatesIIS 6.0 Step by Step available at:

http://www.wijiscommons.org/gjxdm_example/#dotNet

Apache Tomcat 5.5Step by Step available at:

http://www.wijiscommons.org/gjxdm_example/#java

WIJISWIJIS

IEPD Distribution SuggestionsIn addition to Instance Examples, includeExample WSDLAuto-generated C# files and Jar Files

(JaxB)Sample Implementations and test clientXSLT with sample HTML output

WIJISWIJIS

Developer Guide – Return on InvestmentLowers the barriers to secure web services using GJXML

Re-use of code saves developer time for agencies/vendors and stretches grant $$

Vendors integrate with WIJIS once and can distribute to all customers

Prior to Guide: 0 Services, now 7 vendors, over 73 agencies in 8 months

LinksLinks

wijiscommons.org/gjxdm_example – wijis developer guide

oja.wi.gov/wijis – WIJIS Web Pagewijisgateway.org – WIJIS Blog

Contact InfoContact Info

James.pingel@wisconsin.govYogesh.chawla@wisconsin.gov