17 March 2013 NIEM Web Services API Version 1.0 URI: http://reference.niem.gov/niem/specification/web-services-api/1.0/



Similar documents
How to Implement Two-Way SSL Authentication in a Web Service

WebService Security. A guide to set up highly secured client-server communications using WS-Security extensions to the SOAP protocol

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Java Security Web Services Security (Overview) Lecture 9

How to Implement Transport Layer Security in PowerCenter Web Services

CONTRACT MODEL IPONZ DESIGN SERVICE VERSION 2. Author: Foster Moore Date: 20 September 2011 Document Version: 1.7

Entrust Certificate Services. Java Code Signing. User Guide. Date of Issue: December Document issue: 2.0

SSL Certificate Generation

02267: Software Development of Web Services

SafeNet KMIP and Google Cloud Storage Integration Guide

Using LDAP Authentication in a PowerCenter Domain

PowerCenter Real-Time Development

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

Version 9. Generating SSL Certificates for Progeny Web

Iowa Immunization Registry Information System (IRIS) Web Services Data Exchange Setup. Version 1.1 Last Updated: April 14, 2014

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Developing In Eclipse, with ADT

soapui Client Testing ecrv Web Services with soapui 1 9/20/2012 First edition soapui-x ecrv Development Team

Creating a Secure Web Service In Informatica Data Services

Enabling Single-Sign-On on WebSphere Portal in IBM Cognos ReportNet

IBM SPSS Collaboration and Deployment Services Version 6 Release 0. Single Sign-On Services Developer's Guide

Salesforce Files Connect Implementation Guide

Exchange Reporter Plus SSL Configuration Guide

Enabling Single Signon with IBM Cognos ReportNet and SAP Enterprise Portal

PerfectForms SharePoint Integration


RHEV 2.2: REST API INSTALLATION

Web Services Security: SAML Token Profile 1.1

Configuring Secure Socket Layer and Client-Certificate Authentication on SAS 9.3 Enterprise BI Server Systems That Use Oracle WebLogic 10.

Enabling SSO between Cognos 8 and WebSphere Portal

Secure Data Transfer

TCS-CA. Outlook Express Configuration [VERSION 1.0] U S E R G U I D E

Installing the ASP.NET VETtrak APIs onto IIS 5 or 6

NEMSIS v3 Web Services Guide

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

Enabling Single-Sign-On between IBM Cognos 8 BI and IBM WebSphere Portal

The full setup includes the server itself, the server control panel, Firebird Database Server, and three sample applications with source code.

ImageNow Message Agent

This Working Paper provides an introduction to the web services security standards.

Overview of Web Services API

Universal Content Management Version 10gR3. Security Providers Component Administration Guide

Enabling Single Signon with IBM Cognos 8 BI MR1 and SAP Enterprise Portal

Getting started with OWASP WebGoat 4.0 and SOAPUI.

Submitting UITests at the Command Line

CICS Web Service Security. Anthony Papageorgiou IBM CICS Development March 13, 2012 Session: 10282

Adeptia Suite 6.2. Application Services Guide. Release Date October 16, 2014

SSL Configuration on WebSphere Oracle FLEXCUBE Universal Banking Release [September] [2013] Part No. E

e-filing Secure Web Service User Manual

Onset Computer Corporation

ADFS Integration Guidelines

Axway API Gateway. Version 7.4.1

Monitoring HP OO 10. Overview. Available Tools. HP OO Community Guides

VMware vrealize Operations for Horizon Security

JobScheduler Web Services Executing JobScheduler commands

bbc Developing Service Providers Adobe Flash Media Rights Management Server November 2008 Version 1.5

Exchanger XML Editor - Canonicalization and XML Digital Signatures

Sentinel EMS v7.1 Web Services Guide

Application Enablement Services. Web Services Programmer Guide Release 4.1 An Avaya MultiVantage Communications Application

LATITUDE Patient Management System

Multi-Router Traffic Grapher (MRTG)

Developer Guide to Authentication and Authorisation Web Services Secure and Public

[MS-BDSRR]: Business Document Scanning: Scan Repository Capabilities and Status Retrieval Protocol

Network Automation 9.22 Features: RIM and PKI Authentication July 31, 2013

Novell Identity Manager

Digital Signature Web Service Interface

SSO Plugin. Case study: Integrating with Ping Federate. J System Solutions. Version 4.0

HP Asset Manager. Software version: Integration with software distribution and configuration management tools

HP Project and Portfolio Management Center

Quick and Easy Solutions With Free Java Libraries Part II

IUCLID 5 Guidance and Support

VMware vrealize Operations for Horizon Security

Security Guide vcenter Operations Manager for Horizon View 1.5 TECHNICAL WHITE PAPER

Jet Data Manager 2012 User Guide

UFTP AUTHENTICATION SERVICE

SafeNet KMIP and Amazon S3 Integration Guide

Encryption, Signing and Compression in Financial Web Services

Publish Acrolinx Terminology Changes via RSS

Getting Started Guide

HP Service Manager. Mobile Applications. For the Supported Windows and UNIX operating systems Software Version: 1.0. Document Release Date: July 2011

Schematron Validation and Guidance

Securing Web Services From Encryption to a Web Service Security Infrastructure

Funambol Exchange Connector v6.5 Installation Guide

1.6 HOW-TO GUIDELINES

User Application: Design Guide

Step- by- Step guide to extend Credential Sync between IBM WebSphere Portal 8.5 credential vault and Active Directory 2012 using Security Directory

PowerChute TM Network Shutdown Security Features & Deployment

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Installation valid SSL certificate

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

SAML v1.1 for.net Developer Guide

Oracle Service Bus Examples and Tutorials

webcrm API Getting Started

Securing Web Services with WS-Security

Published. Technical Bulletin: Use and Configuration of Quanterix Database Backup Scripts 1. PURPOSE 2. REFERENCES 3.

SSL Configuration Best Practices for SAS Visual Analytics 7.1 Web Applications and SAS LASR Authorization Service

HireRight Integration Platform and API: HireRight Connect. Third Party Developer Guide

HireDesk API V1.0 Developer s Guide

Secure Envelope specification

Practice Fusion API Client Installation Guide for Windows

TABLE OF CONTENTS. avaya.com

Transcription:

17 March 2013 NIEM Web Serv vices API Version 1.0 URI: http://reference.niem.gov/niem/specification/web-services-api/1.0/

i

Change History No. Date Reference: All, Page, Table, Figure, Paragraph A = Add. M = Mod. D = Del. Revised By Change Description 0.1 11/25/2009 All A Chris Lewis Initial version 0.2 9/14/2011 Page 5 M John Matthews Added parameter 0.3 3/17/2013 Page 6 C John Matthews Removed conformance i

Contents 1 Introduction...1 2 Web Service Security...1 3 NIEM Web Services...3 3.1 Search Web Service...3 3.1.1 Search for Components...4 3.1.2 Retrieve a Component...4 3.2 Subset Generation Web Service...5 3.3 Code List Generation Web Service...6 Certificate Creation...1 Appendix A: Testing with SOAPUI...2 i

1 Introduction NIEM now offers access to some of the functionality that currently exists on the NIEM Web site through the use of SOAP Web Services. This will allow the ecosystem of NIEM tools and users to grow as more complex and useful features can be integrated into tools and make the lives of users easier. Consider these two use cases: A user may now write a program to generate subsets of NIEM by providing the wantlist to the web service and get back the generated subset, rather than manually generate a subset in the NIEM SSGT web application. A user may now write a program to access the Subset Generation Web Service to search for NIEM components through a custom user interface, rather than use the interface provided by the Subset Generation Tool. NIEM now offers three different classes of queries through Web Services (more will likely be added in the future). Each class of query is described in more detail within this document. NIEM requires that all requests sent to the Web Service API be signed. The Web Service Security section details the requirements and process for signing your API requests. 2 Web Service Security NIEM utilizes WS-Security (Web Services Security: SOAP Message Security) for authenticating requests sent to the and requires that all requests sent to the Web Service API be signed. NIEM supports version 1.0 of the WS-Security specification (available on the OASIS Web site http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss). WS-Security provides a single SOAP header, <Security>, for use in transmitting authentication information within the SOAP request. It provides the implementer choices for the specific signature method to use. NIEM utilizes X.509 certificates for this purpose. The X.509 certificates provide a mechanism for transmitting a public key (This public key, and the associated private key are components of Public-key cryptography. For information and terminology related to the cryptography, see http://en.wikipedia.org/wiki/publickey_cryptography). To create a signed SOAP message, WS-Security specifies that you sign the request with the private key associated with the X.509 certificate, and then attach the X.509 certificate to the request by representing it as a BinarySecurityToken as defined in the WS- Security X.509 token profile specification (available on the OASIS Web site http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=wss). In order to sign the requests, you must have a valid X.509 certificate. Appendix A details the steps to generate and receive a valid certificate that has been signed by the trusted NIEM Certificate Authority. You must follow these steps before any requests to the Web Service API can be generated. If you just wish to verify that the X.509 certificate you received is valid and working, the tool SOAP-UI can be used to verify this. Please see Appendix B for a short overview of verifying the validity of your X.509 certificate using SOAP-UI. If a request is sent to the Web Service API without a signature, the SOAP response will state: 1

com.sun.xml.wss.xwssecurityexception: Message does not conform to configured policy [ SignaturePolicy(P) ]: No Security Header found Once you have received your certificate, you may begin to generate requests. Each request sent to NIEM must be signed with the private key associated with your X.509 certificate. To create the signature, sign the Body element. At this point, requests sent to NIEM should be receiving responses. Several toolkits exist for many languages to automate the procedure of generating and attaching signatures that follow the WS-Security specification. The following example is a header for a valid signed request. This example illustrates how NIEM makes use of WS-Security, and which configuration settings NIEM uses. <soapenv:envelope xmlns:sch="http://niem.gov/ws/schemas" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:header> <wsse:security xmlns:wsse="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext- 1.0.xsd"> <wsse:binarysecuritytoken EncodingType="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-soap-message-security- 1.0#Base64Binary" ValueType="http://docs.oasis- open.org/wss/2004/01/oasis-200401-wss-x509-token-profile- 1.0#X509v3" wsu:id="certid-10160805" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-wssecurity-utility-1.0.xsd"> <!--Your token here --> </wsse:binarysecuritytoken> <ds:signature Id="Signature-27761480" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:signedinfo> <ds:canonicalizationmethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:signaturemethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsasha1"/> <ds:reference URI="#id-21823376"> <ds:transforms> <ds:transform Algorithm="http://www.w3.org/2001/10/xml-excc14n#"/> </ds:transforms> <ds:digestmethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/ > <ds:digestvalue>dxwrptviyhjsctru/2gv0dja8ti=</ds:dige stvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue>dbbtvwc8f/idfzko1q/jiaesz/akub5rldbrmwdg yvvaksf4u/kxoonshkdwsqznbs0fc/c/lp61bntl51lgkct3e4xgp+xt2 QWbYVUrwBR0yXxaIAfZtiixu4Hi8fDGrYuZF8ZvvS7BfjecREB1yW5I5s GAGjPG72EKezXVJwY= </ds:signaturevalue> <ds:keyinfo Id="KeyId-12821819"> <wsse:securitytokenreference wsu:id="strid-9749991" xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurityutility-1.0.xsd"><wsse:reference URI="#CertId- 10160805" ValueType="http://docs.oasis- 2

open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#x509v3"/> </wsse:securitytokenreference> </ds:keyinfo> </ds:signature> </wsse:security> </soapenv:header> <soapenv:body wsu:id="id-21823376" xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> A few things worth noting: EncodingType for the BinarySecurityToken is set to use WS-Security, specifically http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security- 1.0#Base64Binary ValueType for the BinarySecurityToken element is set to be X.509 certificates, specifically http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-tokenprofile-1.0#x509v3 The BinarySecurityToken should contain the base64 encoding of your X.509 certificate (place this where <!-- Your token here --> is in the example) The KeyInfo element must contain as SecurityTokenReference element, which must contain a Reference element. This Reference element must have a URI attribute which identifies the local BinarySecurityToken containing the X509 certificate The signed element (Body, in the case of NIEM) must contain a wsu:id attribute The above example has demonstrated the use of a Web Service header. In order to be more concise, example queries shown in the sections that follow will not contain Web Service headers. However, Web Service headers are always required in practice. 3 NIEM Web Services The NIEM tool Web site currently exposes four Web Services: Search accepts a query and returns the NIEM component or components matching the query. Subset Generation accepts a wantlist and returns the subset schema for the given wantlist. Code List Generation accepts a Microsoft Excel spreadsheet and returns a code list schema. 3.1 Search Web Service The Web Services Description Language (WSDL) for the Search Web Service is located at: http://niem.gtri.gatech.edu/niemtools/ws/search/search.wsdl 3

This service has two separate queries: one to search for components and one to retrieve a specific component. 3.1.1 Search for Components The search service has two input parameters: 1. Type - The type of component to search for: "Property", "Type", or "Namespace". 2. SearchString - The query you wish to search for, i.e. the name of the component. The service returns one element: SearchResponse - A set of elements matching the type and the string from the query specified in the input. The following is a sample call to the service: <soapenv:envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:nm="http://niem.gov/ws/schemas"> <soapenv:header/> <soapenv:body> <nm:searchrequest> <nm:type> <nm:value>property</nm:value> </nm:type> <nm:searchstring> <nm:value>person</nm:value> </nm:searchstring> </nm:searchrequest> </soapenv:body> </soapenv:envelope> 3.1.2 Retrieve a Component Once a user knows what component he/she wants, a second query is available to retrieve that component. The retrieval service has one input parameter: ID - The qualified Name of the component to retrieve; e.g., "nc:person". The service returns one element. GetElementResponse - The XML representation of the component the user chooses to retrieve. The following is a sample call to the service: <soapenv:envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:nm="http://niem.gov/ws/schemas"> <soapenv:header/> <soapenv:body> 4

<nm:getelementrequest> <nm:id> <nm:value>nc:person</nm:value> </nm:id> </nm:getelementrequest> </soapenv:body> </soapenv:envelope> 3.2 Subset Generation Web Service The WSDL for the Subset Generation Web Service is located at: http://niem.gtri.gatech.edu/niemtools/ws/schemagenerator/genschema.wsdl The service has two input parameters: WantList - A base64 encoding of an XML Wantlist file IncludeWantlist - A boolean to indicate whether to include the wantlist in the generated schema IncludeDocumentation - A boolean to indicate whether to include the documentation in the generated schema The service returns one element: Response - A base64 encoding of the generated Subset The following is a sample call to the service: <soapenv:envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:nm="http://niem.gov/ws/schemas"> <soapenv:header/> <soapenv:body> <nm:generateschemarequest> <nm:wantlist> <nm:datafile>pd94bwwgdmvyc2lvbj0ims4wiiblbmnvzgluzz0ivvrgltg ipz4kphc6v2fudexpc3qgdzpyzwxlyxnlpsiyljaiihc6chjvzhvjdd0i TklFTSIKICB4bWxuczphbnNpLW5pc3Q9Imh0dHA6Ly9uaWVtLmdvdi9ua WVtL2Fuc2ktbmlzdC8yLjAiIHhtbG5zOnc9Imh0dHA6Ly9uaWVtLmdvdi 9uaWVtL3dhbnRsaXN0LzIiPgogIDx3OkVsZW1lbnQgdzpuYW1lPSJhbnN plw5pc3q6rmfjzultywdlrxllq29sb3jbdhryawj1dguiihc6axnszwzl cmvuy2u9imzhbhnlii8+cjwvdzpxyw50tglzdd4k</nm:datafile> </nm:wantlist> <nm:includewantlist> <nm:value>true</nm:value> </nm:includewantlist> <nm:includedocumentation> <nm:value>true</nm:value> </nm:includedocumentation> </nm:generateschemarequest> </soapenv:body> </soapenv:envelope> 5

3.3 Code List Generation Web Service The WSDL for Code List Generation Web Service can be found at: http://niem.gtri.gatech.edu/niemtools/ws/codelistgenerator/gencodelist.wsdl The service has six input parameters: CodeList - A base64 encoding of the Excel version of the code list Prefix - The prefix of the namespace for the code list URI - The URI of the namespace for the code list Location - The relative path of the schema file to use in the returned zip Version - The version of the namespace to use in the schema Definition The definition of the namespace to use in the schema The service returns one element: Response - A base64 encoding of the generated XML version of the code list The following is a sample call to the service: <soapenv:envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:nm="http://niem.gov/ws/schemas"> <soapenv:header/> <soapenv:body> <nm:generatecodelistrequest> <nm:codelist> <nm:datafile> ** Replace this with Base64 Encoding of Code List here ** </nm:datafile> </nm:codelist> <nm:prefix> <nm:value>test</nm:value> </nm:prefix> <nm:uri> <nm:value>http://niem.gov/test/test</nm:value> </nm:uri> <nm:location> <nm:value>local/codes/schema.xsd</nm:value> </nm:location> <nm:version> <nm:value>2</nm:value> </nm:version> <nm:definition> <nm:value>our definition</nm:value> </nm:definition> </nm:generatecodelistrequest> </soapenv:body> </soapenv:envelope> 6

Certificate Creation The following is the recommended and supported way to generate a X.509 certificate and have it signed by the NIEM Certificate Authority. This requires that OpenSSL (http://www.openssl.org/) be installed on your system. The examples below use Unix syntax; however, a user can also generate the key using similar commands in Windows or other operating systems. These instructions generate a certificate for use in a Java tool; however, the certificate created can be used in any language or tool. Begin by creating a working directory and change to this directory $ mkdir ExampleCertificateRequest $ cd ExampleCertificateRequest/ Next generate the private key and associated public key. In the command below, replace requestingclient with the alias of your choice. $ keytool -genkey -alias requestingclient -keyalg RSA -keystore exampleclientkeystore.jks Create a password. Fill out the requested details. For the question What is your first and last name (or commonname, if presented with that text), enter the name of the tool which will be using the generated certificate. At this point, the certificate is unsigned. A certificate signing request must be generated so that the NIEM Certificate Authority can sign it. $ keytool -certreq -keystore exampleclientkeystore.jks -alias requestingclient -file requestingclient.cert.req The file generated (requestingclient.cert.req) is the certificate signing request. Send this file to pgmw-system@gtri.gatech.edu with the subject "NIEM Web Service Certificate Request". Within a couple of business days, you will receive an email back with two files attached. One is your signed certificate (this file will be called signedrequestingclient.cert); the other is the public key for the NIEM Certificate Authority (this file will be called cacert.cert). Place these two files in your working folder. Import the NIEM public key into the keystore. $ keytool -import -file cacert.cert -alias NIEMWebService -keystore exampleclientkeystore.jks Hit Y when prompted to trust the certificate. Now your signed certificate can be loaded. $ keytool -import -file signedrequestingclient.cert -alias requestingclient -keystore exampleclientkeystore.jks The signed certificate for your tool has now been imported into the keystore, and is ready for use. 1

Appendix A: Testing with SOAPUI SOAP-UI (http://www.soapui.org/) is a free, open source Web Services testing tool created by Eviware. It can be used to quickly generate SOAP requests to verify Web Service connections, settings, and configurations. A user can employ SOAP-UI to verify that he/she is able to connect to the NIEM Web Services and generate a valid signature with the X.509 certificate that he/she requested and received from the NIEM Certificate Authority. A full SOAP-UI tutorial is outside the scope of this document. SOAP-UI provides a detailed walk-through (with screenshots) of testing WS-Security requests here: http://www.soapui.org/userguide/projects/wss.html. The reader should review or already be familiar with the content of this tutorial before continuing with the rest of this section. The following briefly outlines the steps for configuring the security and signature settings required SOAP-UI to communicate with the NIEM Web Services: 1. Create your keystore within SOAP-UI. 2. Add an Outgoing WSS Configuration of type Signature. 3. Use the requestingclient alias, rather than niemwebserver alias. 4. Change Key Identifier Type to BinarySecurityToken. 5. Leave Signature Algorithm and Signature Canonicalization set to default. 6. Check the box next to Use Single Certificate. 7. At this point, save your project within SOAP-UI. 8. If a request is already open, close it. 9. Open a request (or generate a new one using one of the WSDL links from the NIEM Web Services). 10. Select the Auth tab at the bottom of the Request window. 11. Select the option to choose the security configuration just created under Outgoing WSS. 12. The request should now be configured to generate and attach a signature. Verify this by viewing the raw data of the request sent to ensure that a <wsse:security> element was added within the <soapenv:header> element. 2

To

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information