X-Road is a platform independent data exchange layer between different databases and information systems.

Transcription

1 What is? is a platform independent data exchange layer between different databases and information systems. Platform independence is achieved by using standardised SOAP protocol.

2

3 Services services are Web Services. Each service provider has a WSDL schema which describes all of it's services. * The term Web Service describes a standardized way of integrating Web-based applications using the XML, SOAP, WSDL and UDDI open standards over an Internet protocol backbone.

4 Service consumer Service consumer is an institution or organization that uses services provided by service providers. Consumer certificate does not allow providing services.

5 Service provider Service provider is a database that is providing predefined web services through x-road infrastructure. Service provider certificate does not allow to use services of other service providers.

6 Central (PKI directory service) Central provides information about x-road public keys and ip addresses. Central has following services: DNS-SEC resolving providers ip addresses and publishing x-road consumers/producers public keys. NTP-SERVER keeping security s time up to date. HashRepository service storing all log hashes sent by security s.

7 Certification authority CA CA is an offline computer. It's issuing certificates to x-road consumers and producers. Information about producers IP addresses is also combined by CA. Public keys and IP aadresses are exported to central using offline media (USB flash drive).

8 is dedicated proxy for exchanging data between service consumers and providers. 's assignment is to: forward querys to a right producer check if consumer's/producer's certificate is valid encrypt/decrypt data check if consumer has permission to access services log all query's

9 Monitoring station Monitoring stations provide x-road s (security and central s) status information to system administrators. Monitoring Station is also collecting service usage information. Usage information contains only META-DATA (query time, user ID, user organization ID, database name and service name).

10 Adapter (process) Adapter is a webservice provider which modifies x-road queries to a database platform specific format.

11 X-road requirements 1 CPU - 64bit architecture is prefered (MISP is running only on 64bit) 512MB ram you can use less, but you will regret it Ubuntu Server LTS One static IP address or more

12 Firewall configuration Ports for incoming services: TCP 5555 SSL data exchange between security s Ports for outgoing services: TCP 5555 SSL data exchange between security s TCP 25 SMTP, ing (including error messages) TCP 37 UNIX time protocol for the diagnostics subsystem; TCP and UDP 53 Name services; TCP 80 HTTP, loading central keys; UDP 123 NTP, security clock synchronization; TCP 5555 SSL data exchange between security s TCP 5556 query hash logging protocol; UDP 6666 data exchange with monitoring stations.

13 20 Data consumers Information system Organization A : overview There are various databases and information systems in different platforms with need to co-operate Extra interface from every database to every information system would be expensive Databases Databa se Motor vehicle register Databa se Public services portal is a platform-independent secure standard interface between databases and information systems Business register Public Internet

14 21 Data consumers Information system Organization A : overview Database is adapted to by setting up Adapter Server, which contains: / SOAP Information systems implement: / SOAP client rules Databases Adapt er Motor vehicle register Adapt er Databa se Databa se Public services portal Business register Public Internet

15 22 : overview Databases Data consumers Information system Organization A Public services portal To secure the system, each party accesses via it s Server Server is a standard software solution that encrypts/decrypts outgoing/ingoing messages, filters ingoing messages as a firewall, and logs messages it receives Adapt er Motor vehicle register Adapt er Business register Databa se Databa se Public Internet

16 23 : overview Databases Data consumers Information system Organization A Traffic between Servers is encrypted with PKI. Servers have to be certified by Certification Authority Certificates are available for verification from Central Servers. Central Servers are duplicated Adapt er Motor vehicle register Adapt er Business register Databa se Databa se Public services portal Public Internet Central s

17

18 25 infrastructure Information System / Portal Adapter Databa se Organization service consumer organization service provider organization Public service (citizens, private companies, ) Central s Public portals Monitoring Central organization CA ( certification authority)

19 26 message flow (1) of IS Service consumer IS Service Service consumer organization DB Adapter of DB Service producer (DB) organization Central Servers

20 4. As user chooses to call a method (usage of which is authorized by the Information System), a message with method call goes towards the Server DB message flow (2) 5. In addition to the message body with data for method call, the message contains also a message header with user s Personal Code, the name of Information System, unique ID of the message etc. Adapter of DB Service producer (DB) organization 2. Whether user is identified by ID-card, password, face or something else is up to the Information System, provided that the way of identification is reliable Central Servers of IS 3. Information System 27 gives user access to methods user is authorized to use This is first level of authorization Service consumer IS Service consumer organization Service 1. User authenticates himself/herself. Information System must be able to get to know the proper Personal Code of user

21 Server of message flow (3) IS verifies over DNSSEC the certificate received from the Server of DB of IS 6. The Server signs the message with it s private key Service consumer IS Service 10. If certificate was valid, the Server of DB sends its certificate back to finish creation of secure connection 7. The Server of IS asks over DNSSEC the Central Server for IP address of the Server(s) of DB Service consumer organization DB Adapter of DB Service producer (DB) organization 9. Server of DB verifies over DNSSEC the certificate received from the Central Servers Server of IS 8. Server of IS opens TCP connection to the Server of DB and sends its certificate to start TLS security protocol

22 29 DB 15. Server message flow (4) 14. Server of DB checks whether the Information System is authorized for this method. This is the second level of authorization 16. Adapter Server commits the method call in the database Adapter of DB sends the decrypted message to the Adapter Server of IS Service consumer IS Service consumer organization Service 12. As secure channel has been created and other party verified, Server of IS sends signed message to Server of DB of DB Service producer (DB) organization 13. Server of DB verifies signature Central of the Servers message and logs the message

23 18. Server of producer sends signed response message to the Server of IS 19. Server of IS checks the signature of message flow (5) response message and logs the response message 21. Finally, user receives response he/she requested! of IS Service consumer IS Service consumer organization 30 Service DB Adapter 17. Server of producer signs the response message Service producer (DB) organization Server of DB Central Servers 20. Server of IS sends decrypted response message to the Information System

24 31 authorization levels If Database adapter does not trust Information System to grant individual permissions, it has possibility to hold additional permission matrix on the granularity of individual But this would be DB awful in case adapter of hundreds of Information Systems with thousands of! Server of DB Service producer (DB) organization Permission matrix on the granularity of Information Systems is held by the Server of the Database Central Servers Server of IS Consumer IS Service consumer organization Permission matrix on the Service granularity of individual is held by the Information System Information System is capable to grant permissions to its only on those methods that Information System itself is authorized to use by permission matrix held by the Server of DB

25 32 : Trusted logs (1) Server of DB logs messages coming from the Information Systems DB Adapter of DB Service producer (DB) organization Central Servers Consumer IS Service consumer organization Service Server of IS logs response messages coming from the Databases Both Servers hash their logs and send their hash chain periodically to the Central Servers

26 33 : Trusted logs (2) If an evil administrator of any Server would try to change the local log file, the hash in Server does not match the hash in Central Servers any more! Therefore, the logs cannot be broken With message given, it is always possible to check later the authenticity of the message whether such a message really existed or not. As trusted logs cannot be broken, the result of the check is trustworthy

27 34 WSDL: metaservices (1) listmethods Implemented by adapter Used by security Mandatory metaservice for every service provider Operation must return all provider s service (wsdl:operation) names in format: producername.servicename.versionnr example: population.listpersons.v1

28 35 WSDL: metaservices (2) testsystem Implemented by adapter Used by security Used for monitoring if adapter and database (and possibly all other needed s/services) are up and running.

29 36 WSDL: metaservices (3) listproducers: Implemented by consumer security Used by Information systems / portals Response contains the list of all available producers. Having list of all producers it is possible to receive the list of available methods with metaservice allowedmethods.

30 37 WSDL: metaservices (4) allowedmethods: Method dbname.allowedmethods is implemented by security of DB. Used by Information systems / portals. Service response contains the list of all allowed methods for caller organisation.