Argonaut Do Not Fly Service – WCF Implementation - University of ...

Argonaut Do Not Fly Service – WCF Implementation David Hughes

TABLE OF CONTENTS 1 2 3

4 5

6

7

Purpose, Scope, and History ................................................................................................................. 2 References ............................................................................................................................................. 2 Platform Requirements ......................................................................................................................... 3 3.1 Amazon EC2 – Windows Server 2008 R2 ...................................................................................... 3 3.2 Internet Information Services (IIS) 7.5 .......................................................................................... 3 3.3 SQL Server 2008 R2 Express .......................................................................................................... 3 3.4 Visual Studio 2012 Professional .................................................................................................... 3 3.5 Security Requirements .................................................................................................................. 4 Service Description ............................................................................................................................... 4 Installation/Deployment Instructions .................................................................................................... 4 5.1 Introduction .................................................................................................................................. 4 5.2 Deployment from the provided zip file......................................................................................... 5 5.2.1 Installation Preparations ....................................................................................................... 5 5.2.2 Installation Steps ................................................................................................................... 5 5.2.3 Secure Mode configuration .................................................................................................. 7 5.2.4 Debug Mode configuration ................................................................................................... 7 5.3 Working with the source code ...................................................................................................... 7 5.3.1 ArgonautDoNotFly project .................................................................................................... 7 5.3.2 AirIdentityConsumer project ................................................................................................ 8 5.3.3 BasicAirlineConsumer project ............................................................................................... 8 5.3.4 Library project ....................................................................................................................... 8 5.3.5 MessageInspector project..................................................................................................... 8 5.3.6 TestConsumer project ........................................................................................................... 8 Design and Rationale ............................................................................................................................ 8 6.1 Overview ....................................................................................................................................... 8 6.2 Layer 1 – WCF Message Inspectors............................................................................................. 10 6.2.1 Producer Message Inspector .............................................................................................. 10 6.2.1 Consumer Message Inspector ............................................................................................. 11 6.3 Layer 2 – Producer/Consumer Layer .......................................................................................... 11 6.3.1 PRODUCER – Do Not Fly Service ......................................................................................... 11 6.3.2 CONSUMER – Air Identity Consumer .................................................................................. 12 6.3.3 CONSUMER – Basic Airline Consumer ................................................................................ 13 6.4 Layer 3 – Implementation Layer ................................................................................................. 14 6.4.1 PRODUCER – doNotFlyImplementation class ..................................................................... 14 6.4.2 CONSUMER – AIImplementation and EncryptionUtility class ............................................ 15 6.4.3 CONSUMER – BAImplementation and BAPassengerList classes......................................... 16 6.5 Layer 4 – Library and Database ................................................................................................... 16 6.5.1 Library ................................................................................................................................. 16 6.5.2 ADNF Database ................................................................................................................... 17 Security Touchpoint Items .................................................................................................................. 19 7.1 STIG APP3120 .............................................................................................................................. 19 7.2 STIG APP3640 .............................................................................................................................. 20

7.3 STIG APP3350 .............................................................................................................................. 20 7.4 STIG APP3500 .............................................................................................................................. 20 8 Appendix – Sample TestConsumer Run ............................................................................................. 21

1

PURPOSE, SCOPE, AND HISTORY

The Argonaut Do Not Fly Service was developed by David Hughes in the Spring, 2013 Semester as part of course COT6931 at the University of West Florida. It is one of the Do Not Fly services that operate as part of the Airline Reservations system [PROJREQ]. It provides a Microsoft Windows Communication Foundation (WCF) 4.5 C# implementation of the Do Not Fly Services interface [DNF]. In addition, the Argonaut Do Not Fly Service was developed using a Security Process that ensures the software fulfills a checklist of security practices [SECPROC].

2

REFERENCES

[AUTHSPEC]

[AWSWIN]

[ENTLIBDB] [DNF]

[IISAPP] [INSTALL45] [LEASTPRIV] [PROJREQ]

[REMOTE]

[SECCHK]

[SECPROC]

[WCFEXT] [WINSDK8] [XML]

AirIdentity Service Authentication Specification, [Online] http://uwf.edu/nwilde/soaResources/airlineReservations/authenticationSpecification. pdf Getting Started with Amazon EC2 Windows Instances, [Online] http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EC2Win_GetStarted.ht ml The Data Access Application Block, [Online] http://msdn.microsoft.com/en-us/library/ff664408(PandP.50).aspx WSDL and XSD Interface for the Do Not Fly Service, [Online] http://www.cs.uwf.edu/~wilde/201301_COT6931_SOA/projectContent/doNotFlyInt erface.zip Managing Applications in IIS 7, [Online] http://technet.microsoft.com/en-us/library/cc771654(v=ws.10).aspx Installing the .NET Framework 4.5, [Online] http://msdn.microsoft.com/en-us/library/5a4x27ek.aspx Configuring Applications for Least Privilege, [Online] http://technet.microsoft.com/en-us/library/dd163542.aspx Implementing Services with Authentication: Project Requirements, [Online] http://www.cs.uwf.edu/~wilde/201301_COT6931_SOA/projectContent/SpringProjec tRequirements.pdf The most useful feature of Remote Desktop I never knew about, [Online] http://blogs.msdn.com/b/brendangrant/archive/2009/02/17/most-useful-feature-ofremote-desktop-i-never-knew-about.aspx Application Security and Development Checklist V3R3, [Online] http://www.cs.uwf.edu/~wilde/201208_COT6931_Project_SOA/201210_MilCheckli st/checklist.xml Security Process for SOA Services, [Online] http://www.cs.uwf.edu/~wilde/201301_COT6931_SOA/projectContent/SecurityProc ess.pdf WCF Extensibility, [Online] http://blogs.msdn.com/b/carlosfigueira/archive/2011/03/14/wcf-extensibility.aspx Windows Software Development Kit (SDK) for Windows 8, [Online] http://msdn.microsoft.com/en-US/windows/desktop/hh852363.aspx Using the XmlSerializer Class, [Online] http://msdn.microsoft.com/en-us/library/ms733901.aspx 2

3

PLATFORM REQUIREMENTS

3.1

Amazon EC2 – Windows Server 2008 R2

An Amazon EC2 Instance running Windows Server 2008 R2 with SQL Server 2008 R2 Express and Internet Information Services (IIS) 7.5 provides a hosted cloud environment for the Argonaut Do Not Fly WCF.NET service. The Microsoft .NET Framework 4.5 and Microsoft Windows SDK, version 8, are installed on the instance to allow for hosting .NET 4.5 services and viewing message traces with the Microsoft Service Trace Viewer.

3.2

Internet Information Services (IIS) 7.5

The Argonaut Do Not Fly Service is a WCF service hosted in IIS. The running IIS application is assigned to the IIS default application pool (DefaultAppPool) with .NET Framework version 4.5 (4.0.30319). It is assumed that the reader is familiar with setting up an application that is hosted on an IIS server.

3.3

SQL Server 2008 R2 Express

The SQL Server 2008 R2 Express default instance is used as the database provider. The Argonaut Do Not Fly Service uses Windows integrated security for credentials to access the database (ADNF). A SQL login using Windows authentication is created for the “IIS AppPool\DefaultAppPool” identity to enable access to the ADNF database with both database role memberships and database securables explicitly granted. These memberships and securables allow the Argonaut Do Not Fly Service to run stored procedures for retrieving security credentials and for logging service access.

3.4

Visual Studio 2012 Professional

The Argonaut Do Not Fly Service was created using the Microsoft Visual Studio 2012 Professional IDE on a Windows 7 workstation. The Microsoft Service Model Metadata Tool (SvcUtil) was used to generate producer service code from the WSDL and XSD files that defined the Do Not Fly Service interface [DNF]. In order to support interoperability with other platforms, the following key SvcUtil switches were used to generate producer service code: /mc /serializer:XmlSerializer /fault /wrapped /sc

Generate Message Contract types. Generate data types that use the XmlSerializer for serialization and deserialization. Specifies that the XmlSerializer should be used for reading and writing faults. Generated code will not unwrap “parameters” member of document-wrapped-literal messages. Generate code for Service Contracts.

The Message Contract and the XmlSerializer are especially important for generating services that are interoperable with other technology packages (e.g. LAMP and Glassfish/Java) by following SOAP Encoding standards [XML]. In addition, Air Identity consumer code and Basic Airline consumer code were generated using the SvcUtil tool via the “Add Service Reference…” option in the Visual Studio Solution Explorer.

3

3.5

Security Requirements

The Argonaut Do Not Fly Service can be deployed in either non-secure or secure modes. In non-secure mode, the Argonaut Do Not Fly Service will accept and process request messages from any source, with or without a security header. In secure mode, the Argonaut Do Not Fly Service will only process request messages from consumer services that include a valid SOAP security header as specified in the Authentication Specification document [AUTHSPEC]. By following the Air Identity use case scenario, where the consumer service acts as the client and the Argonaut Do Not Fly Service acts as the caller, the consumer service must be authenticated by an Air Identity Service. If authentication fails, a SOAP Fault with a “Client” fault code will be returned. NOTE: The implemented Air Identity Service did not completely adhere to the published specification. Therefore, the following variances to the specification have been implemented: 



The Binary Security Token (or EncryptedCombinedNonce) is a SHA-256 cryptographic hash of the first four elements of the Security Header concatenated together in the following order: callerUsername + callerPassword + clientUsername + clientPassword. In addition, the token is a lowercase hexadecimal string and not base64 encoded. Timestamps are in a UTC time format: YYYY-MM-ddTHH:mm:ss.

In order to deploy in secure mode, the Argonaut Do Not Fly Service will need a valid username and symmetric encryption key for its own authentication with a running Air Identity Service. In addition, the URL of a running Air Identity Service will be required. This authentication information will need to be stored in the ADNF database for the secure Argonaut Do Not Fly Service to use during operations.

4

SERVICE DESCRIPTION The Argonaut Do Not Fly Service provides the single operation described in [DNF]: -

passengerSearch()

The Argonaut Do Not Fly Service provides for searching airline flights that departed within a given time interval for passengers that match either a given date of birth, a name containing a given string, or both. The string matches are not case sensitive. The matching passengers are returned.

5

INSTALLATION/DEPLOYMENT INSTRUCTIONS

5.1

Introduction

The ArgonautDoNotFlyDeploymentPackage.zip file is a compressed package of pre-compiled files required for deployment on a Windows Server running SQL Server and IIS. The ArgonautDoNotFlyCompletePackage.zip compressed file contains the Argonaut Do Not Fly source solution, which can be rebuilt in Visual Studio 2012 Professional. The solution is comprised of multiple .NET Framework 4.5 projects: ArgonautDoNotFly AirIdentityConsumer BasicAirlineConsumer Library

- C# WCF Service Application - C# Class Library - C# Class Library - C# Class Library 4

MessageInspector TestConsumer

5.2

- C# Class Library - C# Console Application (optional testing tool)

Deployment from the provided zip file

The ArgonautDoNotFlyDeploymentPackage.zip file contains the compiled .dll files and configuration file ready for a non-secure deployment. In addition, two batch files, CreateDatabase.bat and SetupIIS.bat, are provided to simplify the database setup and IIS configuration steps.

5.2.1 Installation Preparations The Argonaut Do Not Fly Service is designed to be hosted on a machine running IIS 7.5 and SQL Server 2008 R2. While a Windows 7 workstation was used in development, these installation instructions will assume that the service is to be deployed on an Amazon Web Services EC2 instance of Windows Server 2008 R2 with IIS 7.5 and SQL Express 2008 R2. The “Getting Started with Amazon EC2 Windows Instances” has instructions for creating an AWS account, launching a Windows instance, and connecting to the Windows instance [AWSWIN]. The following instructions assume that you have an AWS account and that you have downloaded the ArgonautDoNotFlyDeploymentPackage.zip file to your workstation. A secure deployment will need the following additional information: a URL of a running Air Identity Service and an assigned username/symmetric encryption key pair for service authentication.

5.2.2 Installation Steps 1) Create and secure your Windows Server. As explained in [AWSWIN], launch an Amazon EC2 instance of Microsoft Windows Server 2008 R2 with SQL Server Express and IIS. By default, AWS will create a security group allowing everyone (0.0.0.0/0) access to the following: HTTP (port 80), MS SQL (port 1433), and RDP (port 3389). However, a better approach to securing your new instance is to have HTTP open for everyone and RDP open for only your workstation’s IP. For example, assuming that your workstation’s IP were 98.42.81.203, you should configure the AWS security group as follows: a. TCP Port: 80 (HTTP) Source: 0.0.0.0/0 b. TCP Port: 3389 (RDP) Source: 98.42.81.203/32 2) Get Server’s Administrator password and IP. With the key pair used to create the instance, retrieve the Windows administrator password from the EC2 Instance “Actions” drop-down selection. Also, note the Public DNS of the instance. 3) Remote in to the server. From your workstation, Remote Desktop Connection to your new running instance, using the Public DNS, and login as Administrator with the retrieved password. NOTE: Setting the connection options to allow local devices, such as the Clipboard or Drives, to be accessed from the remote computer (your new server) will allow for an easy exchange of files between the workstation and the server [REMOTE]. 4) Install .NET Framework On the new server, download and install Microsoft .NET Framework 4.5 [INSTALL45]. a. Because of Internet Explorer’s Enhanced Security Configuration for Administrators on servers, you will have to add http://download.microsoft.com to the “Trusted sites” zone to permit downloading the .NET Framework 4.5 installation file with Internet Explorer. This can be accomplished from the Internet Explorer’s Tools – Internet Options –Security tab – Sites button.

5

b. Download and run the web bootstrapper (dotNetFx45_Full_setup.exe) to simplify the .NET 4.5 installation process. Note: The process is slow on the AWS micro instance. 5) Set server clock. Open the “Date and Time” tool from the Control Panel. Change the date and time to match that of the Air Identity Service. If AWS permits (some instances are not allowed), set the Internet time to synchronize with the “time.uwf.edu” Internet time server (or whichever time server the Air Identity Service is using).

6) Copy and extract the deployment files on new server. Copy the ArgonautDoNotFlyDeploymentPackage.zip to the new server and then extract the files to a folder on the server.

7) Set service credentials (maybe skipped if service will not be running in secure mode). Using Notepad (or any text editor), update the SQL script, Create_ADNF_with_user.sql. The VALUES clause (in the script’s last statement) must be updated with the service’s assigned username and encryption key, and the URL of a running Air Identity Service.

8) Create database. Open the CreateDatabase.bat Windows Batch File to setup the ADNF database on the server’s default SQL Server instance. 6

9) Setup IIS application. Open the SetupIIS.bat Windows Batch File to setup IIS with a configured application that will contain a copy of the “ArgonautDoNotFly” folder in the “C:\inetpub\wwwroot” (the default web site folder). NOTE: To setup the Argonaut Do Not Fly Service with a different application name, edit the value of APPNAME in the batch file as shown: Set APPNAME=NewAppName

10) Verify application is running. Open the Argonaut Do Not Fly service page in a web browser to verify the service is running. Example: An EC2 instance’s Public DNS of 123.compute.amazonaws.com would have an endpoint address of http://123.compute.amazonaws.com/ArgonautDoNotFly/doNotFly.svc for the service.

5.2.3 Secure Mode configuration The Argonaut Do Not Fly Service can be configured to operate in secure mode (assuming the ADNF database has been configured with valid service credentials) by editing the deployed Web.config file located in the same folder as the doNotFly.svc markup file. Using a text editor, such as Notepad, change the producerBehavior element’s secureMode attribute from “false” to “true” to enable the secure operation mode as shown below:

5.2.4 Debug Mode configuration The Argonaut Do Not Fly Service can be configured to operate in a debug mode, which enables detailed raw SOAP message logging to the ADNF database. All SOAP messages received and sent from the Argonaut Do Not Fly Service are logged. In addition, all SOAP messages sent and received while consuming both the Air Identity Service and the Basic Airline Service are logged. Edit the Web.config file and change the producerBehavior element’s debug attribute from “false” to “true” to enable the debug mode operation as shown below:

5.3

Working with the source code

The Argonaut Do Not Fly Service was created as a multi-project solution in Visual Studio 2012 Professional (VS2012). The ArgonautDoNotFlySourcePackage.zip file contains the ArgonautDoNotFly solution source files. In addition, the Microsoft Enterprise Library Data Access Application Block (and dependencies) are included as these files were added to the solution via the NuGet Package Manager. After unzipping the source package, open the ArgonautDoNotFly solution file in VS2012.

5.3.1 ArgonautDoNotFly project The ArgonautDoNotFly project is a WCF Service Application project with Service and Implementation sub-folders to hold files related to those layers. A Utility folder holds files that provide a custom ServiceHost to filter unnecessary WSDL namespaces. This project contains the doNotFly.svc markup file, the Web.config file, and the bin folder files that are included in the deployment package. The ArgonautDoNotFly project has references added for the following projects: AirIdentityConsumer, BasicAirlineConsumer, Library, and MessageInspector. 7

5.3.2 AirIdentityConsumer project The AirIdentityConsumer project is a C# Class Library project with Consumer and Implementation subfolders to hold files related to those layers. A Utility folder contains encryption utilities that support working with an Air Identity Service. In addition, a Service Reference is added as a proxy to the Air Identity Service. The AirIdentityConsumer has references added for the following projects: Library and MessageInspector.

5.3.3 BasicAirlineConsumer project The BasicAirlineConsumer project is a C# Class Library project with Consumer and Implementation subfolders to hold files related to those layers. In addition, a Service Reference is added as a proxy to the BasicAirline service (WF Airlines was used to create this proxy). The BasicAirlineConsumer has references added for the following projects: Library and MessageInspector.

5.3.4 Library project The Library project is a C# Class Library project with the Microsoft Enterprise Library 5.0 – Data Access Application Block added via the NuGet package manager.

5.3.5 MessageInspector project The MessageInspector project is a C# Class Library project with references added for the Library project.

5.3.6 TestConsumer project The TestConsumer project is a C# Console Application project with references added for the following projects: AirIdentityConsumer, BasicAirlineConsumer, Library, and MessageInspector. NOTE: This project is not part of the Argonaut Do Not Fly Service and the project is only provided as a tool for testing the consumer aspects of the service from the development workstation.

6

DESIGN AND RATIONALE

6.1

Overview

Within the Airline Reservation System, the Argonaut Do Not Fly Service is a composed service that acts as both a consumer of Basic Airline Services and a producer service for Do Not Fly consumers. Operating in secure mode will consume Air Identity Service operations per the [PROJREQ] document.

Airline Reservation System Overview Redneck Riviera Airlines (PHP)

West Florida Airlines (Java)

Argonaut Do Not Fly (WCF)

Do Not Fly Consumer Tester (Java)

AirIdentity (PHP) Authentication Service

Basic Airline Services

Do Not Fly Service

Do Not Fly Consumer

8

The Argonaut Do Not Fly Service uses a layered architecture with multiple code projects to facilitate a flexible modular structure. In general, layers are only accessed from the layer above or below, depending on the direction of message flow. The Argonaut Do Not Fly Service utilizes Windows Communication Foundation (WCF) .NET 4.5 framework for receiving/sending data as SOAP messages. In addition, the WCF composed service is designed to be hosted on an Internet Information Services (IIS) server.

Argonaut Do Not Fly Design Overview INTERNET

Producer Message Inspector

Consumer Message Inspector

Consumer Message Inspector

Do Not Fly Service

Air Identity Consumer

Basic Airline Consumer

Do Not Fly Implementation

Air Identity Implementation

Basic Airline Implementation

Library

VS Project Legend

SQL Database

Color

MessageInspector

ArgonautDoNotFly AirIdentityConsumer BasicAirlineConsumer Library

9

6.2

Layer 1 – WCF Message Inspectors

The Message Inspector layer is a self-contained project within the ArgonautDoNotFly solution. This layer utilizes extensions to the WCF message pipeline to inspect SOAP messages that are either received or sent. SOAP security headers are accessed in this layer.

6.2.1 Producer Message Inspector The ProducerMessageInspector (P_MI) is an implementation of IDispatchMessageInspector, which is an extensibility point [WCFEXT] in the WCF’s dispatcher (producer) process. The ProducerBehavior implements IEndpointBehavior in order to add ProducerMessageInspector to the producer endpoint runtime message inspectors. The ProducerBehavior is added to the service endpoint via the ProducerBehaviorExtensionElement, which is an extension of the BehaviorExtensionElement. This extension allows for an endpoint behavior configurable with parameters, secureMode and debug, that are set in the Web.config file. The P_MI has the following responsibilities: a. Log DoNotFly request and response messages to satisfy the requirement of STIG 3640 (transaction logs for access) [SECPROC] and for troubleshooting purposes. b. If operating in secure mode, read the security header information and add corresponding properties to the IncomingMessageProperties dictionary for retrieval by the layer 2 DoNotFly service layer. 10

6.2.1 Consumer Message Inspector The ConsumerMessageInspector (C_MI) is an implementation of the IClientMessageInspector, which is an extensibility point in the WCF’s client (consumer) process. The ConsumerBehavior implements IEndpoinBehavior in order to add ConsumerMessageInspector to the consumer endpoint runtime message inspectors. The C_MI has the following responsibilities: a. If operating in secure mode, then add the security header information to the request message SOAP header. b. If operating in debug mode, then log consumer SOAP request and response messages for troubleshooting.

Layer 2 – Producer/Consumer Layer

6.3

The producer/consumer layer is the output of the ServiceModel Metadata Utility (SvcUtil). The generated classes and interfaces represent each of the services, operations, messages, and types specified in the Web Service Definition Language (WSDL) and XML Schema Definition (XSD) files. In addition to the generated code, classes are created to implement the corresponding generated interfaces.

6.3.1 PRODUCER – Do Not Fly Service

The Do Not Fly Service (DNF_S), contained in the ArgonautDoNotFly project, receives inbound request messages (and sends outbound response messages) for the doNotFly passengerSearch operation. The DNF_S code is generated by applying the SvcUtil program to both the WSDL and XSD files, doNotFly.wsdl and airlineData.xsd, respectfully. In addition, the doNotFly class is created to implement the IdoNotFly interface. The DNF_S consists of the following interface and classes: -

IdoNotFly passengerSearch PassengerType passengerListEntry passengerSearchRequest passengerSearchResponse doNotFly

The doNotFly class contains the following public method: -

passengerSearch()

11

Besides calling a corresponding layer 3 method, the passengerSearch method has the added responsibility of retrieving the IncomingMessageProperties, which are added by the P_MI, to represent security operating mode and security header information. Any errors thrown by the layer 3 passengerSearch method are caught and converted into SOAP Faults with a “Client” fault code and a generic message.

6.3.2 CONSUMER – Air Identity Consumer

The Air Identity Consumer (AI_C) is part of the AirIdentityConsumer project. The AI_C sends request messages (and receives reply messages) to Air Identity Service operations, getNonce and authenticate. The AI_C generated code is the result of applying the SvcUtil program (via the Visual Studio 2012 Add Service Reference) to both the WSDL (AirIdentity.wsdl) and XSD (AirIdentity.xsd) files retrieved from a deployed Air Identity Service. In addition, an AIConsumer class is created to instantiate the WCF client proxy of the Air Identity Service. The AI_C consists of the following interfaces and classes: -

airIdentityService getNonceRequest getNonceResponse authenticateRequest authenticateResponse authorizeRequest authorizeResponse airIdentityServiceChannel airIdentityServiceClient AIConsumer

The AI_C is responsible for building a run-time configured WCF client proxy that consumes an AirIdentity Service. The AIConsumer adds the C_MI ConsumerBehavior to the runtime consumer endpoint behaviors. Security information is injected into the C_MI ConsumerBehavior for insertion into the SOAP headers. The AIConsumer class has the following public methods that are called from corresponding layer 3 Air Identity Implementation methods: -

getNonce() authenticate()

12

6.3.3 CONSUMER – Basic Airline Consumer

The Basic Airline Consumer (BA_C) is part of the BasicAirlineConsumer project. The BA_C sends request messages (and receives reply messages) to Basic Airline Service operations, findSeats and getPassengerList. The BA_C generated code is the result of applying the SvcUtil program (via the Visual Studio 2012 Add Service Reference) to both the WSDL (basicAirlineService.wsdl) and XSD (airlineData.xsd and airlineMessage.xsd) files retrieved from a deployed Basic Airline Service (West Florida Airlines). The BAConsumer class is created to instantiate the WCF client proxy of the Basic Airline Service. The BA_C consists of the following interfaces and classes: -

basicAirlineService PassengerType FlightType bookSeatRequest bookSeatResponse findSeatsRequest findSeatsResponse getPassengerListRequest getPassengerListResponse resetBackendRequest resetBackendResponse basicAirlineServiceChannel basicAirlineServiceClient BAConsumer BAFlightType BAPassengerListType BAPassengerType

The BA_C is responsible for building a run-time configured WCF client proxy that consumes a Basic Airline Service. The BAConsumer class adds the C_MI ConsumerBehavior to the run-time consumer 13

endpoint behaviors. Security information is injected into the C_MI ConsumerBehavior for insertion into the SOAP headers. The BAConsumer has the following public methods that are called from corresponding layer 3 Basic Airline consumer implementation methods: -

findSeats() getPassengerList()

The BAFlightType class inherits the FlightType of the generated code to provide the implementation layer access to the flight information. The BAPassengerType class inherits the PassengerType of the generated code to provide the implementation layer access to the passenger information. The BAPassengerListType class is responsible for providing the implementation layer access to the getPassengerListResponse information.

Layer 3 – Implementation Layer

6.4

The implementation layer does the processing logic required by the producer operation. In addition, this layer implements the processing logic required for consuming operations.

6.4.1 PRODUCER – doNotFlyImplementation class

The doNotFlyImplementation (DNF_I) class is contained in the ArgonautDoNotFly project. The DNF_I is responsible for performing the logic behind the implementation of the Do Not Fly’s passengerSearch operation. The DNF_I has the following public method: -

passengerSearch()

The passengerSearch method, when in secure mode, will determine if the “client” is authentic by calling a method, authenticateClient, in the Air Identity implementation layer. An unauthenticated client is treated as an exception that is thrown back to the calling layer 2 DNF_S passengerSearch method. In unsecured mode (or secured mode with a confirmed authentication), a Basic Airline consumer implementation layer method, getPassengers, is called to get a list of all passengers that match the window of departure flight times for the airline. Before returning the list of passengers to the calling layer 2 DNF_S passengerSearch method, the passenger list is filtered to include matches based on the optional passenger date of birth and/or match string.

14

6.4.2 CONSUMER – AIImplementation and EncryptionUtility class

The AIImplementation (AI_I) class is contained in the AirIdentityConsumer project. AI_I is only used when the Argonaut Do Not Fly Service is operating in secure mode. The AI_I is called from the layer 3 methods in either the Do Not Fly producer implementation class or the Basic Airline consumer implementation class. The AI_I is responsible for performing all the processing logic associated with consuming AirIdentity operations (getNonce and authenticate). The AI_I calls the AI_C layer 2 methods to consume the operations. The following are the AI_I public methods: -

authenticateClient() getUserPassword()

The authenticateClient method performs use case steps 12-25 in [AUTHSPEC] as required to get a nonce and authenticate a “client” username and password. The getUserPassword method performs use case steps 1-9 (or 12-20) in [AUTHSPEC] as required to obtain a user password that can be placed in a security header. The static EncryptionUtility class provides encryption support methods for tasks associated with the [AUTHSPEC] use case steps. The following are the public methods: -

DecryptFromAesToBase64String() DecryptNonce() EncryptAesToBase64String() SHA256toHexString()

The DecryptFromAesToBase64String method decodes a Base64 string and then performs an AES decryption to obtain a plain text string. The DecryptNonce method performs the steps to decode and decrypt an encrypted nonce. The EncryptAesToBase64String method performs an AES encryption of a plain text with a key using ECB cipher mode and PKCS7 padding (compatible with [AUTHSPEC] required PKCS5 padding). The resulting encryption is encoded into a Base64 string. The SHA256toHexString method performs a SHA256 hash on a given string. The computed hash is then converted to a lowercase hex string. 15

6.4.3 CONSUMER – BAImplementation and BAPassengerList classes

The BAImplementation (BA_I) class is contained in the BasicAirlineConsumer project. The BA_I is only accessed from the DNF_I layer 3 method, passengerSearch. The BA_I is responsible for performing all the processing logic associated with consuming Basic Airline operations (findSeats and getPassengerList). In secure mode, the BA_I will call the AI_I layer 3 method, getUserPassword, to retrieve a password that can be used in a security header required for consuming secured Basic Airline operations. The following is the BA_I public method: -

getPassengers()

The getPassengers method retrieves an airline’s list of flights from layer 2 BA_C findSeats method that match the search parameters. This flight list is used to retrieve a corresponding passenger list from the layer 2 BA_C getPassengerList method. The combined passenger list of all matching flights are returned to the calling DNF_I passengerSearch method. The BAPassengerList class is responsible for providing the flight ID and passenger information returned to the DNF_I getPassengers method.

6.5

Layer 4 – Library and Database

6.5.1 Library

The Library (a self-contained project that uses the Enterprise Library Data Application Block [ENTLIBDB] to facilitate access to the SQL Server database, ADNF) holds both global state information and logging utilities. The Argonaut Do Not Fly operating modes related to security and debugging are maintained in the OperatingMode static class. The Credentials static class holds the in-memory copy of the assigned service credentials (i.e. username and symmetric encryption key) and the URL of an active Air Identity Service.

16

The following are the public methods: -

GetCredentials() LogMessage() LogText()

The GetCredentials method calls a SQL stored procedure, GetCredentials, to load the service credentials from the ADNF database into the Credentials static properties: MyUsername, MyKey, and AuthenticationURL. The LogMessage method deserializes a SOAP message into a string that is logged in the database. The LogText method logs a text message in the database.

6.5.2 ADNF Database The ADNF database is responsible for both logging access (and debugging) data and securing the Argonaut Do Not Fly Service’s service credentials. The ADNF database has two tables, Credentials and TransactionLog, as shown below.

Two stored procedures, GetCredentials and WriteLogEntry, are used by the Argonaut Do Not Fly Service to access the database. The GetCredentials stored procedure returns the first row from the Credentials table as it is assumed that the Argonaut Do Not Fly service will only have one set of credentials. The WriteLogEntry stored procedure inserts logging information into the TransactionLog table. Since the Argonaut Do Not Fly Service is designed to run in the IIS DefaultAppPool using Windows Integrated Authentication for access to the ADNF database, a SQL Server login (using Windows authentication) is created for “IIS APPPOOL\DefaultAppPool” to permit access to the ADNF database.

17

The “IIS APPPOOL\DefaultAppPool” login is added to the ADNF database roles: db_datareader and db_datawriter.

Explicit securable permissions to execute both ADNF stored procedures, GetCredentials and WriteLogEntry, are granted to the “IIS AppPool\DefaultAppPool” database user.

18

7

SECURITY TOUCHPOINT ITEMS

The Argonaut Do Not Fly Service was developed according to an established Security Process [SECPROC]. Security Assurance Cases that addressed four United States Department of Defense Security Technical Implementation Guide (STIG) vulnerabilities [SECCHK] were created for review during the Software Development Life Cycle’s Design and Implementation phases.

7.1

STIG APP3120

The application reveals no system-generated exception output to users. The Argonaut Do Not Fly Layer 1, Producer Message Inspector (P_MI), and Layer 2, Do Not Fly Service (DNF_S), are the only layers interacting with outgoing communication to the Argonaut Do Not Fly consumers (users). The message pipeline is protected with try/catch blocks that insulate the message pipeline from system-generated exception messages. Exceptions are caught and converted to SOAP Faults with a “Client” fault code and a generic fault reason string. Errors encountered while consuming either AirIdentity or Basic Airline services are caught and logged. If the error is related to authenticating with AirIdentity, then that message is passed back to the layer 3 Do Not Fly Implementation layer passengerSearch method.

19

7.2

STIG APP3640

The application supports the creation of transaction logs for access and changes to the data. The Argonaut Do Not Fly service does not change any data. Therefore, data access transaction logs are created for all requests/responses to/from the Argonaut Do Not Fly passengerSearch operation via a single capture point, the P_MI.

7.3

STIG APP3350

Application code does not include authentication data (such as userID, password). The Argonaut Do Not Fly Service’s service authentication data, username and symmetric encryption key, is stored in the SQL Server 2008 R2 Express edition database, ADNF. Windows Integrated Authentication is used to control access to the database. Since the Argonaut Do Not Fly Service is hosted in the IIS 7.5 default application pool, the service process is associated with a Windows identity “IIS AppPool\DefaultAppPool” that is used to login to the local SQL Server using windows authentication.

7.4

STIG APP3500

The application executes with no more privileges than necessary for proper operation. The application is hosted in Internet Information Services (IIS) 7.5, which allows the application pool to have its own identity. The Argonaut Do Not Fly Service is configured to run in the default application pool, which uses the “IIS AppPool\DefaultAppPool” identity [LEASTPRIV]. This identity has a reduced local privilege. The explicit SQL user permissions, as specified previously in this document, ensure that the application does not require elevated privileges to access the ADNF Database.

20

APPENDIX – SAMPLE TESTCONSUMER RUN The TestConsumer console application provides the user an ability to test the Argonaut Do Not Fly Service’s consumer aspects (AirIdentityConsumer, BasicAirlineConsumer, Library, and MessageInspector projects) from the developer’s workstation using the Visual Studio debugger. Below is a screen shot of the console from a sample run: 8

21

The TestConsumer App.config file has been set to create a messages.svclog file (in the TestConsumer App_data folder) that can be viewed with the Microsoft Service Trace Viewer. The Service Trace Viewer Tool is one of the tools included in the Windows Software Development Kit (SDK) for Windows 8 [WINSDK8] that is supported on Windows 7 and Windows Server 2008R2. Below are screen shots from viewing some of the messages logged during the above sample run of TestConsumer:

22

23