20160602 - Meeting minutes, Thursday, June 2nd, 2016 - OpenNCP Technical Committee Meeting

OpenNCP Technical Committee Meeting

 

Estimated - 15:00 to 16:00 CET

Performed - 15:05 to 16:05 CET

AGENDA

  1. Release 2.4.1
  2. Presentation approaches to component per component testing
    1. Security testing
    2. Performance testing
  3. Update task force meetings
    1. Terminology server
    2. Release management
    3. Migration to CEF digital
    4. SMP/SML
      1. Cache mechanism
      2. Multiple signatures
    5. eID
  4. AOB
  5. Next meeting 

 

LOCATION

Adobe Connect

http://ec-wacs.adobeconnect.com/openncp/

Room Passcode:  markus.kalliola or Licinio Kustra Mano

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

If you have never attended an Adobe Connect meeting before:

Test your connection: http://ec-wacs.adobeconnect.com/common/help/en/support/meeting_test.htm

Get a quick overview: http://www.adobe.com/products/adobeconnect.html

Adobe, the Adobe logo, Acrobat and Adobe Connect are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

PARTICIPANTS

Today's Meeting Participants:

S

Natasha Carl

Kostas Karkaletsis

Stéphane Spahni

Massimiliano Masi

YacoubouY

Joao Cunha

michele.foucart

 

MEETING NOTES

  1. Release 2.4.1
    1. 24/05 - Release note 2.4.1 Release Changelog and Notes
      1. Circular dependency between 2 components (Audit manager and UTIL) - need to be solved
        • S will create an issue.
  2. Presentation approaches to component per component testing:
    1. Security testing - Natasha Carl
      1. Not focusing on the application but on the webservices, the idea is to isolate the components
        1. We will start with Security assertions testing - Not possible to test totally in isolation
        2. Client Connector
        3. TRC-STS: in 2 parts, also used for eID
          1. Need a library to execute the tests - easy to use token, idem for e-id. ? Signature assertion. We can contact Massimiliano Masi when doing the tests if we have questions
          2. TRC-STS for eID does not provide WSDL. But we can get it from the source code
        4. Out of scope: SMP/SML
      2. Tools:
        1. Appscan - for SOAP
          1. Black box test
          2. Grey box - tests on the web-services, changing the values...use messaged figured out and appscan will try to modify the message (executing workflow and trying to inject xml vulnerability tests...)
        2. SOAP-UI
      3. Timing: Configuration is ongoing. Tests will start ASAP, it is difficult to provide a time line since it depends on the complexity for each components
    2. Performance testing,  - YacoubouY
      1. Neoload with SOAP extension support
        1. Test on the client side, client connector services, the portal
        2. Server side: XDR services, XCPD and XCA, assersion services and part of ATNA
        3. Will be executed with 10 - 25 concurrent users, with the latest release 2.4.1 and results will be compared with the results presented in Lisbon
      2. Prepare and execute the scenario + different execution possibilities, with 1, more until 25 concurrent users
      3. Timing: Configuration ongoing, and start execution beginning of next week
    3. We will probably need to provide the standalone to contact the webservices, which will take time to be put in place
  3. Update task force meetings:
    1. Terminology server:
      1. Outcome of the analysis will be presented during eHOMB 2/06, we will inform the community about further actions
        1. The role management/authorization part of FHDTS is designed for 1 organization. We will need to further develop this part (multiple levels role accesses) to ensure that only MS have the rights to update their own content (liability of the content)
        2. What will be recommended to eHOMB is to re-use the code that we can and to develop what we need, based amongst other on the input received from the user testers (Giorgio and Marta)
      2. Resources with expertise on the field? Luc Mottin or Patrick. Luc is already part of the task force
    2. Release management:
      1. Dependency between packages
      2. We can start the testing next Monday
    3. Migration to CEF digital:
      1. Meeting with DIGIT yesterday 1/06
      2. We received the confirmation that can finally use CEF platform.
        1. CEF Digital is open source so source code will be public. 
          • S will check if we need to be registered to view the source code
      3. Migration of Confluence - we will need to reorganize ours spaces, because there are too many spaces. We need to make a cleaning of confluence
      4. Mapping of users Atlassian and CEF digital platform - it is ok.
      5. Migration of JIRA - issue related to the version of Jira used. Now it should match and issue should be fixed
      6. Bitbucket - it should not be a problem
      7. Nexus repository
      8. Timeline? During summer (DIGIT is busy now with the production until end of June)
    4. SMP/SML:
      1. Cache mechanism:
        According the ad hoc meeting (   10:00-11:00 between Kostas Karkaletsis, Joao Cunha, Massimiliano Masi and S) focused on the explanation and clarification about the caching implementation.
        It has been explained that there are 2 main types of properties called static and dynamic available through a static Map filled in with data from the properties database.
        Manly the difference between the properties are: static (all the configuration properties of the components), dynamic (info from the endpoints, certificates, international search masks). As we use Hibernate, the discriminator column could be use to manage the property type.
        The description of the general process is described below:

        private final static HashMap<String, PropertyValue>()
        
            StaticValue, DynamicValue getProperty() 
            PropertyValue pv = hm.get(propString);
        
        if (pv instanceof DynamicValue) { 
            do SMP; 
            if SMP is null; 
            run TSLSync; 
            if still null throw exception; 
        }
        else { 
            pv is  a static value, 
            so it must be on the hashmap, 
            if null, throw excptiont
        }
        
        In the getInstance, in the private constructor responsible to decide (static or dynamic)  
            So the private constructor build the correct classes
            Updating does not change the partition
            Settings must change the signature of the method, by adding the partition

        TODO: Analyse the error codes and Exceptions raised when a call from NCP-B to NCP-A fails.

      2. Multiple signatures: proposal from OASIS has been tested with success so we can accept OASIS recommendation
    5. eID - no update
  4. AOB:
  5. Next meeting 3pm