B2b web Service Guidelines V2 rsvz enterprise Architecture



Download 0.95 Mb.
Page12/14
Date02.05.2018
Size0.95 Mb.
#47313
1   ...   6   7   8   9   10   11   12   13   14

Security

  1. Message Security

    1. Guideline


Privacy and integrity of the message contents MUST be ensured.
Communicating partners (NISSE and SIFs) MUST authenticate each other.
Explanation
All of the requirements are fulfilled by using 2-way SSL:

Authentication of individual users requires more complex technologies, such as WS-Encryption (signature) and e-ID.

Non-repudiation also requires these technologies, by using a digital signature generated either by the SIF’s key or the individual user’s key.


The client and server certificates of RSVZ are available for download from

http://www.rsvz-inasti.fgov.be/schemas/B2B-certificates.



      1. Audit Logging

        1. Guideline

All incoming and outgoing messages MUST be logged in an audit log.


The information listed in the table below MUST be logged:

        1. Explanation


This guideline is based on the RSVZ B2B Security Policy.doc.
In a 2-way SSL setup the client (or service consumer) sends its certificate to the server (or service provider) amongst other things. If the SSL connection is successfully established this implies that the certificate is correct, and that the client really is who he claims to be (unless private key would have been stolen).

Inside the certificate is the distinguished name proper to the client and known to the server.


The first column is based on guidelines from the KSZ, and is described in RSVZ B2B Security Policy.doc. All of these fields need to be logged, except those marked ‘N/A’.
The second and third column describe what needs to be logged, depending whether the SIF is the initiating partner or NISSE.

  • SIF  NISSE: a SIF starts a Request-Reply, or a SIF sends a One Way to NISSE

  • NISSE  SIF: NISSE starts a Request-Reply, or NISSE sends a One Way to SIF

Remarks on the table:



  • N/A means ‘not applicable’, meaning that this information is not logged.

  • General, Timestamp:

    • a timestamp generated together with the logging of an incoming message;

    • optionally the Applheader.TransferOk.Timestamp field for Pseudo One Way;

    • note: the timestamp that the message is sent is in MessageTimeRequest further down in the table

  • Communication type:

  • MessageServiceId: This is a combination of:

    • the Web Service name as found in the name attribute, e.g. "Affiliation_V3" for version 3.x of Affiliation

    • a ‘-‘

    • the operation named as found under the name attribute of the element, e.g. “InvestigateNew” in Affiliation.

    • Example: “Affiliation_V3-InvestigateNew”





  1. Download 0.95 Mb.

    Share with your friends:
1   ...   6   7   8   9   10   11   12   13   14




The database is protected by copyright ©ininet.org 2024
send message

    Main page