RE: [wsdm] Security Question: MOWS: Managing Secure Web services

["Jeff Bohren" <jbohren@opennetwork.com>]

Title: Message

Similar to the other thread, I would have the following categories:

 

Configuration:

    Transport level authentication settings

    PKI Info (server cert, trusted CAs, CRLs)

    TLS Configuration

    HTTP restrictions (allowed verbs, etc)

    SOAP specific security settings

 

Metrics:

    Successful Authentications (total, per time period, etc)

    Failed Authentications

    Successful Authorizations

    Failed Authorizations

 

Notifications:

    Failed Authentications

    Failed Authorizations

 

Policies:

    Access control rules

 

One intersting question to me is whether the transport level security is managed on the same resource as the SOAP security? In other words a SOAP/HTTPS endpoint could have security at the transport level (via HTTPS, Basic Auth, etc) and at the SOAP level (WSS). Is this considered the same WSDM resource, or is there one resource for the HTTPS endpont and one for the SOAP end point?

 

Jeff Bohren

Product Architect

OpenNetwork Technologies, Inc

 

Try the industry's only 100% .NET-enabled identity management software. Download your free copy of Universal IdP Standard Edition today. Go to www.opennetwork.com/eval.

 

-----Original Message-----
From: Heather Kreger [mailto:kreger@us.ibm.com]
Sent: Friday, June 04, 2004 9:28 AM
To: wsdm@lists.oasis-open.org
Subject: [wsdm] Security Question: MOWS: Managing Secure Web services

per our call today, I'm starting this email thread on managing policies for secure Web services.

Given that security can be managed for 'any IT resource' using WSDM, are there specific additional requirements
when that IT resource is a Web service?

Heather Kreger
STSM, Web Services Lead Architect for SWG Emerging Technologies
Author of "Java and JMX: Building Manageable Systems"
kreger@us.ibm.com
919-543-3211 (t/l 441) cell:919-496-9572