The UA Security Model - Keeping it Simple is the Policy 

Tags:

Configuring application security for a typical Web Services application is extremely complex because there are a huge number of configuration options that control things such from the cryptography algorithms used to the order of elements in the message. This flexibility is great for people who spend their time developing custom applications for a single customer. Unfortunately, such flexibility is not a benefit when plug-and-play interoperability between commercial products is the primary objective.

For this reason, UA defines several 'canned' security configurations which are identified with URIs. These URIs are referred to as 'SecurityPolicyUris' in the UA specifications. If a client wants to connect to a server it first has to discover the SecurityPolicyUri and MessageSecurityMode being used by the server's endpoint (future posts will discuss discovery in more detail).

The available UA Security Policies and their URIs are defined in Part 7.  To ensure interoperability UA requires that all applications implement two policies: Basic128Rsa15 and Basic256. The former uses 128-bit cryptography  and is secure enough for most applications today. The latter uses 256-bit cryptography  and is secure enough for sensitive applications today but will likely be the minimum required in the future. As technology evolves more security policies will be added to Part 7 and some will be made mandatory for new products (e.g. the NSA Suite B will the basis for a future security policy).

The MessageSecurityMode specifies whether the messages are signed and encrypted or simply signed. The MessageSecurityMode could also be 'None' but that implies security is turned off and that the SecurityPolicyUri is ignored.

Of course, these URIs do not tell a developer how to build and or configure and application. This information can be found in the XML Web Services mapping in Part 6 and in the list of specific algorithms assigned to the Security Policies in Part 7. To make this process easier the samples provided by the OPC Foundation include the WCF Channel Bindings and the WS-Policy Attachments which describe the standard UA Security Policies. For example, the a WCF binding which implements the Basic128Rsa15 Security Policy with signing and encryption can be found here. The same information in WSDL Policy Attachment can be found here.

Note that the WCF binding does include a number of timeout and buffer size settings which are not required for interoperability. However, a developer does not need to worry about those details. All they need to know is using that WCF binding will allow them to communicate with any application that supports the UA Basic128Rsa15/SignAndEncrypt Security Policy with XML Web Services.

It is worth noting that UA is security policy model is also independent of the implementation technology. This means that UA applications which do not use XML Web Services can be configured using the same information. The exact mapping between the UA Security Policies and the communication technology is defined by the mappings in Part 6.

 
Posted by OPCF02\randyarmstrong on 3-Feb-09
0 Comments  |  | Bookmark this post with:        
 
Failed to render control: Value does not fall within the expected range.

Comments

Name:
URL:
Email:
Comments:

CAPTCHA Image Validation