Versions Compared

Old Version 2

changes.mady.by.user michele.foucart

Saved on

compared with

New Version 3

changes.mady.by.user michele.foucart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

OpenNCP Task Force - Security

 

Estimated - 13:00 to 14:00 CET

Performed -  to  CET

AGENDA

  1. Housekeeping
  2. Proposition of agenda (Jerôme & Kostas)
    1. National Connector Specifications: https://openncp.atlassian.net/wiki/display/ncp/National+Connector+Specifications
    2. OpenNCP deviations: https://openncp.atlassian.net/wiki/display/ncp/OpenNCP+deviations
    3. Liferay security issues: /wiki/spaces/ncp/pages/71237661
    4. Implementation of xml digital signature
  4. AOB 
  5. Next meeting

...

Room Passcode:  (Ask if necessary)

----------------

If you have never attended an Adobe Connect meeting before:

Test your connection: http://ec-wacs.adobeconnect.com/common/help/en/support/meeting_test.htm

Get a quick overview: http://www.adobe.com/products/adobeconnect.html

Adobe, the Adobe logo, Acrobat and Adobe Connect are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.

PARTICIPANTS

Today's Meeting Participants:

...

  1. Housekeeping
  2. Proposition of agenda (Jerôme & Kostas)
    1. National Connector Specifications: https://openncp.atlassian.net/wiki/display/ncp/National+Connector+Specifications
      1. Massi has added the original document on the wiki

      2. National Connector

        1. Massi has updated the References adding the original docs:

          • 1 JWG_NCP_Architecture_HLDD_v1.0.pdf
          • 2 Hohpe, Wolf, Enterprise Integration Patterns: Designing, Building, and Deploying Messaging Solutions, Addison Wesley
        2. Massi explains that the
        process manager. The
        1. process manager keeps the state of the sequence and determine the next processing step based on intermediate results.

        2. The process manager

         has

        1. has been in workflow manager and national connector. The sequence of actions is always the same.

        Go through the Java code

        1. The state is in the national connector, while the wm is just keeping the sequence for contacting the NCP stateless services.

        2. Which components are affected? 2 missing

        components2Jerôme

        1. components

          1. S asks the following questions:

        ·        

            1. This way we can fix the issue of

        assersion

            1. assertion mechanism?

        Massi

            1. Massimiliano Masi: yes. Only the workflow manager must be responsible.

        ·        

            1. The portal needs to be changed? Yes.

        ·        

            1. The credential part of the portal is the responsibility of the MS?

              1. The NCP responsibility is to check the link between this user and the certificate in order to be sure the user is authorized to access.

        o  

              1. The NCP does not authenticate the user, only brokerage

        .

        o  

              1. In NCPA we'll have an audit trail

        o  

            1. Suggestion of Heiko Zimmermann: would it be feasible with a signature in addition to the the token? Yes

        .

        2. Questions:

          1. 2 APIS: 1 for workflow manager, 1 for national connector

        Sggestion

          1. Suggestion to use IHE

        transationc

          1. transation for national connector. Kostas Karkaletsissuggested to use RESTfull.

        Massi

          1. Massimiliano Masiadded that IHE provides

        provifes

          1. it as well.

          2. Do we need REM evidences? In massi's view, yes.

            1. What is the portal adapter? To be asked to Marcello Melgara.

         è Michele will do

            1.  michele.foucart will ask

      3. Access control component.

        1. Kostas Karkaletsis and Joao Cunha agree that it is clear now to implement.

          1. It has to be implemented by each country => each country to decide.

        Stephane & Massi

          1. Stéphane Spahni and Massimiliano Masi: we should agree on 1

        implmentation

          1. implementation, and at the same time the architecture leave the MS free to

        implmenet

          1. implement what they want.

        Massi

          1. Massimiliano Masi would suggest to open a consultation with MS

        . Via

          1. via the OpenNCP mailing list.

        Massi

          1. Massimiliano Masi, Joao Cunha and Kostas

        è Michele

          1. Karkaletsis will formalize the question in an e-mail and michele.foucart will send to the mailing list

          2. Implementation

        :

          1. will take a couple of weeks so suggestion to work on this after the Connectathon

    3. OpenNCP deviations: https://openncp.atlassian.net/wiki/display/ncp/OpenNCP+deviations

    4. We have created an epic dedicated to performance and security. We could use the same epic?

      1. Kostas had a look at them, but needs some more time to provide feedback on it. Afterwads, new issues related to the task list will be added by

      Jerôme or Jerôme

      1. S + include issues TSL editor from Joao

      This Epic contains Issues found by the security team…

      2. Joao adds the following:

        • We should define instruction on the
        • wikip
        • wikipage to create certificate. E.g in Portugal reaching certificate date
        • Establish VPN:
          • DG SANTE requested DIGIT to use TestaNG network.
          • In SMP/SML there were no need of VPN because no
        • exchan,ge
        • to
        • to change the deliverable to better clarify the values for that specific field. Those deliverables are on the hand of the EC this is
        • upt
        • up to EC to define the process of doing that
        • è Michele to
        •  Establish
        • Establish VPN between PN and Central Services => Since there are no need of VPN with SMP/SML, this can be put on hold
        • Reminder that we should update the installation manual: Epsos Certificates have to be created using SHA-2 instead of SHA-
        • The scripts to create certificate are on the wiki. But we need to adapt the scripts on the wiki (which are
        • cusomized
        • customized with Stephane's data)
    5. Liferay security issues: /wiki/spaces/ncp/pages/71237661
      1. Jerôme has installed the new version of Liferay. We'll rerun the test next week to validate that issues are fixed. See if servers are available to validate the fixes.
      2. Liferay version? v6.2.GA6
    7. Implementation of xml digital signature - Not discussed
  4. AOB 
  5. Next meeting
    1. A new meeting would be needed to continue the analysis on workflow manager + digital signature?
    2. 12:30 CET to 13:00 CET

 

...