Network Authentication Authorization Services

From Exchange Network Wiki

Jump to: navigation, search

Contents

Introduction

 Network Authentication and Authorization Service (NAAS) is a set of shared security services for the Network Nodes, which includes user authentication, identity management, policy management and access control.

 NAAS can be considered as either a centralized security model or a federated security model. NAAS is hosted centrally by EPA and available to all network nodes. However, users and access control policies of a node are managed independently by the node administrator. It can be viewed as the federation of state node security models.

 NAAS facilitates single sign on (SSO) in the exchange network. Once an account is created by a node administrator, the account can be used to access all exchange network nodes as long as it is authorized. Once a user is authenticated by NAAS, the user is issued a security token which is a valid proof of authentication to all nodes. A user account must be unique in NAAS and it is strongly recommended that the user's email address be used as the account ID.

User Authentication Scheme

NAAS supports many authentication schemes including password, digest, HMAC, XKMS Key and X.509 Certificate authentication. Authentication through WS-Security with X. 509 token is also supported.

For machine-to-machine authentications, NAAS implemented a special mechanism: Secure Authentication Key (SAK). SAK is an encrypted multi-factor credential tied to a machine IP address and a user account. It can be used as the replacement of password for Network Nodes or other web applications. Additional technical information is available at:

             http://www.exchangenetwork.net/node/dev_toolbox/sak.htm

NAAS Versions and Endpoints

 There are two versions of NAAS : NAAS v2.0 and NAAS v3.0. NAAS v2.0 is designed for Network Node v1.1 while NAAS v3.0 for Network Node v2.0. A version 2.0 node MUST use NAAS v3.0 as its security service. The endpoints and WSDLs for NAAS are listed below:

NAAS v2.0 [Test Environment] 

  https://naas.epacdxnode.net/xml/auth.wsdl
  https://naas.epacdxnode.net/xml/usermgr.wsdl
  https://naas.epacdxnode.net/xml/policy.wsdl

NAAS v2.0 [Production Environment] 

  https://cdxnodenaas.epa.gov/xml/auth.wsdl
  https://cdxnodenaas.epa.gov/xml/usermgr.wsdl
  https://cdxnodenaas.epa.gov/xml/policy.wsdl


NAAS v3.0 [Test Environment] 

  https://naas.epacdxnode.net/xml/auth_v30.wsdl
  https://naas.epacdxnode.net/xml/usermgr_v30.wsdl
  https://naas.epacdxnode.net/xml/policy_v30.wsdl

NAAS v3.0 [Production Environment] 

  https://cdxnodenaas.epa.gov/xml/auth_v30.wsdl
  https://cdxnodenaas.epa.gov/xml/usermgr_v30.wsdl
  https://cdxnodenaas.epa.gov/xml/policy_v30.wsdl


Technical specifications of NAAS v2.0 and NAAS v3.0 are available by request only. You may acquire a copy from the Exchange Nework helpdesk at nodehelpdesk@csc.com.

NAAS v2.0 user accounts and v3.0 user accounts are compatible. In other words, if you have a node v1.1 account, it is valid for node v2.0 as well.

Implementation Tips

For nodes or clients that use axis toolkit, Axis2 v1.4.1 client uses "transfer-encoding:chunked" in the service request by default. This default transfer-encoding has to be turned off in the Axis2 client to work.

Retrieved from "http://www.exchangenetworkwiki.com/wiki/index.php/Network_Authentication_Authorization_Services"
Personal tools