Begrepskatalog

 
Sist endret 21.09.15 09:31
Arbeidsversjon

Webservice sikkerhet

Webservice security headere

Webservice security header består av følgende elementer:

Identifikator Kardinalitet Datatype
BinarySecurityToken 1..1 wsse:BinarySecurityToken
Timestamp 1..1 wsu:Timestamp
Signature 1..1 ds:Signature

Meldingen er kun signert på SOAP nivå, ikke kryptert.

Timestamp

  • Time-to-live skal være 120 sekunder

På grunn av den korte Time-to-live så kreves det at alle aktører har servere med klokker synkronisert med NTP.

BinarySecurityToken

  • Sertifikat for validering av signatur skal inkluderes i SOAP header
  • Security Token være X509 sertifikater
  • Sertifikatet som brukes skal være et virksomhetssertifikat
    • sertifikatet skal være utstedt til behandlingsansvarlig eller databehandler.
    • I testmiljøet brukes test-virksomhetssertifikat utstedt fra samme leverandører som i produksjon

Signature

Følgende elementer i SOAP meldingen signeres:

  • Timestamp
  • Soap body
  • eb:Messaging header
  • Soap attachment

eksempel

Under kan er det lagt opp en et eksempel på en gyldig Webservice security header generert fra java klient biblioteket for sending av digital post:

   <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="true">
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-b1149be9-7b9e-4ce6-8cca-1cd915ae4fe9">MIIFOjCCBCKgAwIBAgIKGQqI22LuZ+0U6TANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJOTzEdMBsGA1UECgwUQnV5cGFzcyBBUy05ODMxNjMzMjcxIzAhBgNVBAMMGkJ1eXBhc3MgQ2xhc3MgMyBUZXN0NCBDQSAzMB4XDTE0MDYxNjA4NTYyNloXDTE3MDYxNjIxNTkwMFowgaAxCzAJBgNVBAYTAk5PMSwwKgYDVQQKDCNESVJFS1RPUkFURVQgRk9SIEZPUlZBTFROSU5HIE9HIElLVDEhMB8GA1UECwwYU0RQIC0gbWVsZGluZ3N1dHZla3NsaW5nMSwwKgYDVQQDDCNESVJFS1RPUkFURVQgRk9SIEZPUlZBTFROSU5HIE9HIElLVDESMBAGA1UEBRMJOTkxODI1ODI3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx6IPA2KSAkSupen5fFM1LEnW6CRqSK20wjpBnXf414W03eWUvBlw97c6k5sl2tYdn4aVb6Z9GeDaz1bLKN3XwhFGPk9PnjSIhrFJNAPnWVEBDqGqfeMrEsYdOEgM2veBZDYkhVwipjr8AesmptTRAat61q+6hCJe8UZqjXb4Mg6YKSTAHfJdthAG06weBMgVouQkTkeIIawM+QPcKQ3Wao0gIZi17V0+8xzgDu1PXr90eJ/Xjsw9t0C8Ey/3N7n3j3hplsZkjOJMBNHzbeBG/doroC6uzVURiuEn9Bc9Nk224b+7lOBZ1FvNNrJVUu5Ty3xyMDseCV7z1QTwW7wcpwIDAQABo4IBwjCCAb4wCQYDVR0TBAIwADAfBgNVHSMEGDAWgBQ/rvV4C5KjcCA1X1r69ySgUgHwQTAdBgNVHQ4EFgQU6JguiqDjkgjEGRHhzkbeKeqyWQEwDgYDVR0PAQH/BAQDAgSwMBYGA1UdIAQPMA0wCwYJYIRCARoBAAMCMIG7BgNVHR8EgbMwgbAwN6A1oDOGMWh0dHA6Ly9jcmwudGVzdDQuYnV5cGFzcy5uby9jcmwvQlBDbGFzczNUNENBMy5jcmwwdaBzoHGGb2xkYXA6Ly9sZGFwLnRlc3Q0LmJ1eXBhc3Mubm8vZGM9QnV5cGFzcyxkYz1OTyxDTj1CdXlwYXNzJTIwQ2xhc3MlMjAzJTIwVGVzdDQlMjBDQSUyMDM/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdDCBigYIKwYBBQUHAQEEfjB8MDsGCCsGAQUFBzABhi9odHRwOi8vb2NzcC50ZXN0NC5idXlwYXNzLm5vL29jc3AvQlBDbGFzczNUNENBMzA9BggrBgEFBQcwAoYxaHR0cDovL2NydC50ZXN0NC5idXlwYXNzLm5vL2NydC9CUENsYXNzM1Q0Q0EzLmNlcjANBgkqhkiG9w0BAQsFAAOCAQEAKOTM1zSdGHWUBKPzDPYCcci9cpbktd2WuBg028bRC0NwKSWUKeuUfWesTiu/P4UlYGe86qd/+z3MNpN89aGA8pr0E0WpI+NM+v+Cb0dQwxHASHtrkVo9CVx6V6/QSBqIUEMfNquDHzxB2/mXbv6GuO5eIl3OSVKg7Ffd/1wdE6zeMmHQO+zRpfj+OVEhNPb5cLa13Ah9+JrMkr1O7VUFbozLQgFPhuI8/5+u8U/6cDOOmcFV4f4IYUmhbcLiW5MQnvaJ8044+uInOQTNtSkKmZAo7Jnm4KUyhFXftJOStOHSlODOQcepVS7csszO5yWQRMTV8doEsaH5p/LBXYF56Q==</wsse:BinarySecurityToken>
      <wsu:Timestamp wsu:Id="TS-08b9bf59-4914-462c-868d-6277a702c578">
        <wsu:Created>2015-09-15T06:47:11.672Z</wsu:Created>
        <wsu:Expires>2015-09-15T06:52:11.672Z</wsu:Expires>
      </wsu:Timestamp>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-35cb96d4-3a9b-4769-ae2b-5c88391c3c75">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="env"/>
          </ds:CanonicalizationMethod>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
          <ds:Reference URI="#soapBody">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>FNviz1QfCqb4noYySIXZFsvxjmNuyEEmUcMPAu56p1c=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#TS-08b9bf59-4914-462c-868d-6277a702c578">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse env"/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>NQxFSon1NctBZOPD+B4Oq4eF7xNOCqBL7ltQGD1wdgQ=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#id-55daa7c1-e2f8-4026-ae5e-add5643588e0">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList=""/>
              </ds:Transform>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>o05bS7fdRT9wbANXGz+kRFPfVIgXQct+jaj6wmulQkY=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="cid:cfbb64c8-be18-4a51-98e6-1a9ef85cab5a@meldingsformidler.sdp.difi.no">
            <ds:Transforms>
              <ds:Transform Algorithm="http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Content-Signature-Transform"/>
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
            <ds:DigestValue>lTQzlEnR4v0Dkm+JqZdzStEh2l/z0hqU8D5h3aW1m5w=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>vyLuoJf7rjNNuE7EQkOZgj50PkbehFZFP6WAeoJnFsCqUzh8AcSUmussxIgb8hUzKQLkYWlq48+ZPutpufI04j1hak64rphHLYKMqxepaCT4Kwv9mvdSPyTTtPOi3ou3IELF4DSo9rCRevB5CJFwDmT6OGrheBIx3H7GY7pqblpbVDRsh+sCT+5NaFEiysEIIQgnYxM9PDKmXtzcojwDt4QTx3huZ8fl10kPs5PFDZqLh0GQlIjSp9Uqq5ZaLHgbAXbA+lsDbfT5omAzUBTpf7ktrtBTUrOra+BEjSUzz0pGGKnYVAuRhnbkRY2hk2DQFAiv32JXMYevyw8l2RiMZQ==</ds:SignatureValue>
        <ds:KeyInfo Id="KI-d2cd2986-3da9-4127-8523-a8b18197a34d">
          <wsse:SecurityTokenReference wsu:Id="STR-5407ac8e-44a1-42f5-a9c7-aaca98484352">
            <wsse:Reference URI="#X509-b1149be9-7b9e-4ce6-8cca-1cd915ae4fe9" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>