20160225 - Meeting minutes, Thursday, February 25th February, 2016 - OpenNCP Task Force - Security

OpenNCP Task Force - Security

 

Estimated - 13:00 to 14:00 CET

Performed -  to  CET

AGENDA

  1. Housekeeping
  2. Proposition of agenda (Jerôme & Kostas)
    1. National Connector Specifications: https://openncp.atlassian.net/wiki/display/ncp/National+Connector+Specifications
    2. OpenNCP deviations: https://openncp.atlassian.net/wiki/display/ncp/OpenNCP+deviations
    3. Liferay security issues: /wiki/spaces/ncp/pages/71237661
    4. Implementation of xml digital signature
  3. AOB 
  4. Next meeting

 

LOCATION 

Room Passcode:  (Ask if necessary)

----------------

If you have never attended an Adobe Connect meeting before:

Test your connection: http://ec-wacs.adobeconnect.com/common/help/en/support/meeting_test.htm

Get a quick overview: http://www.adobe.com/products/adobeconnect.html

Adobe, the Adobe logo, Acrobat and Adobe Connect are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.

PARTICIPANTS

Today's Meeting Participants:

Massimiliano Masi

michele.foucart

Heiko Zimmermann
Joao Cunha

Kostas Karkaletsis

Stéphane Spahni

S

 

MEETING NOTES:
  1. Housekeeping
  2. Proposition of agenda (Jerôme & Kostas)
    1. National Connector Specifications: https://openncp.atlassian.net/wiki/display/ncp/National+Connector+Specifications
      1. Massi has added the original document on the wiki
      2. National Connector

        1. Massi has updated the References adding the original docs:

          • 1 JWG_NCP_Architecture_HLDD_v1.0.pdf
          • 2 Hohpe, Wolf, Enterprise Integration Patterns: Designing, Building, and Deploying Messaging Solutions, Addison Wesley
        2. Massi explains that the process manager keeps the state of the sequence and determine the next processing step based on intermediate results.
        3. The process manager has been in workflow manager and national connector. The sequence of actions is always the same.

        4. The state is in the national connector, while the wm is just keeping the sequence for contacting the NCP stateless services.

        5. Which components are affected? 2 missing components

          1. S asks the following questions:

            1. This way we can fix the issue of assertion mechanism? Massimiliano Masi: yes. Only the workflow manager must be responsible.

            2. The portal needs to be changed? Yes.

            3. The credential part of the portal is the responsibility of the MS?

              1. The NCP responsibility is to check the link between this user and the certificate in order to be sure the user is authorized to access.

              2. The NCP does not authenticate the user, only brokerage

              3. In NCPA we'll have an audit trail

            4. Suggestion of Heiko Zimmermann: would it be feasible with a signature in addition to the the token? Yes

        6. Questions:

          1. 2 APIS: 1 for workflow manager, 1 for national connector

          2. Suggestion to use IHE transation for national connector. Kostas Karkaletsissuggested to use RESTfull. Massimiliano Masiadded that IHE provides it as well.

          3. Do we need REM evidences? In massi's view, yes.

            1. What is the portal adapter? To be asked to Marcello Melgaramichele.foucart will ask

      3. Access control component

        1. Kostas Karkaletsis and Joao Cunha agree that it is clear now to implement.

          1. It has to be implemented by each country => each country to decide.

          2. Stéphane Spahni and Massimiliano Masi: we should agree on 1 implementation, and at the same time the architecture leave the MS free to implement what they want.

          3. Massimiliano Masi would suggest to open a consultation with MS via the OpenNCP mailing list. Massimiliano Masi, Joao Cunha and Kostas Karkaletsis will formalize the question in an e-mail and michele.foucart will send to the mailing list

          4. Implementation will take a couple of weeks so suggestion to work on this after the Connectathon

    2. OpenNCP deviations: https://openncp.atlassian.net/wiki/display/ncp/OpenNCP+deviations
    3. We have created an epic dedicated to performance and security. We could use the same epic?

      1. Kostas had a look at them, but needs some more time to provide feedback on it. Afterwads, new issues related to the task list will be added by S + include issues TSL editor from Joao

      2. Joao adds the following:

        • We should define instruction on the wikipage to create certificate. E.g in Portugal reaching certificate date
        • Establish VPN:
          • DG SANTE requested DIGIT to use TestaNG network.
          • In SMP/SML there were no need of VPN because no exchange of medical data
        • Identity assersions: https://openncp.atlassian.net/browse/GPB-68 what is needed now is to change the deliverable to better clarify the values for that specific field. Those deliverables are on the hand of the EC this is up to EC to define the process of doing that. michele.foucart will see with Markus
        • Establish VPN between PN and Central Services => Since there are no need of VPN with SMP/SML, this can be put on hold
        • Reminder that we should update the installation manual: Epsos Certificates have to be created using SHA-2 instead of SHA-
        • The scripts to create certificate are on the wiki. But we need to adapt the scripts on the wiki (which are customized with Stephane's data)
    4. Liferay security issues: /wiki/spaces/ncp/pages/71237661
      1. Jerôme has installed the new version of Liferay. We'll rerun the test next week to validate that issues are fixed. See if servers are available to validate the fixes.
      2. Liferay version? v6.2.GA6
    5. Implementation of xml digital signature - Not discussed
  3. AOB 
  4. Next meeting
    1. A new meeting would be needed to continue the analysis on workflow manager + digital signature?
    2. 12:30 CET to 13:00 CET