https://wiki.hl7.de/index.php?action=history&feed=atom&title=cdaefa%3AEFA_XDS_SecurityConsiderationscdaefa:EFA XDS SecurityConsiderations - Versionsgeschichte2026-05-04T05:48:01ZVersionsgeschichte dieser Seite in Hl7wikiMediaWiki 1.31.0https://wiki.hl7.de/index.php?title=cdaefa:EFA_XDS_SecurityConsiderations&diff=20401&oldid=prevJcaumanns: Security Considerations für ITI-Bindings auf eigene Wiki-Seite ausgelagert.2014-09-16T17:59:05Z<p>Security Considerations für ITI-Bindings auf eigene Wiki-Seite ausgelagert.</p>
<p><b>Neue Seite</b></p><div>{{DocumentPart}}<br />
<br />
== Security Considerations ==<br />
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EDesa.02.05}</tt><br />
<br />
=== Message Protection ===<br />
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EDesa.02.05.01}</tt><br />
<br />
The ECR requester MUST apply means to achieve message authenticity, message integrity and message confidentiality. The EFA Resource Manager MUST approve at least one of the following mechanisms.<br />
<br />
==== Transport Layer Security with SAML Issued Endorsing Token ====<br />
The request message and the response message are sent over an EFA Resource Manager authenticated TLS-channel. In the SOAP Security Header the EFA client provides an EFA Identity Assertion and a wsu:timestamp element. If the SAML subject confirmation method is set to holder-of-key the wsu:timestamp element MUST be signed with the Subject-Confirmation-Key. If the SAML subject confirmation method is set to bearer the TLS-channel MUST be mutually authenticated.<br />
<br />
[[Datei:EFA_XDS_RM_SC_TLS.png|250px]]<br />
<br />
===== WS-Security-Policy Example =====<br />
<syntaxhighlight lang="xml"><br />
<wsp:Policy wsu:Id="ServicePortBindingPolicy"><br />
<sp:TransportBinding><br />
<wsp:Policy><br />
<sp:TransportToken><br />
<wsp:Policy><br />
<sp:HttpsToken RequireClientCertificate="false" /><br />
</wsp:Policy><br />
</sp:TransportToken><br />
<sp:AlgorithmSuite><br />
<wsp:Policy><br />
<sp:Basic256Sha256 /><br />
</wsp:Policy><br />
</sp:AlgorithmSuite><br />
<sp:IncludeTimestamp /><br />
<sp:Layout><br />
<wsp:Policy><br />
<sp:Strict /><br />
</wsp:Policy><br />
</sp:Layout><br />
</wsp:Policy><br />
</sp:TransportBinding><br />
<sp:Wss11><br />
<wsp:Policy /><br />
</sp:Wss11><br />
<wsam:Addressing /><br />
</wsp:Policy><br />
<wsp:Policy wsu:Id="Input_Policy"><br />
<sp:EndorsingSupportingTokens><br />
<wsp:Policy><br />
<sp:IssuedToken<br />
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeTokenAlwaysToRecipient"><br />
<sp:RequestSecurityTokenTemplate><br />
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><br />
<wst:KeySize>2048</wst:KeySize><br />
</sp:RequestSecurityTokenTemplate><br />
<wsp:Policy></wsp:Policy><br />
</sp:IssuedToken><br />
</wsp:Policy><br />
</sp:EndorsingSupportingTokens><br />
</wsp:Policy><br />
</syntaxhighlight><br />
<br />
==== Asymmetric Message Protection ====<br />
The request message and the response message are signed and encrypted. The ECR requester uses the key material corresponding with the Subject-Confirmation-Key provided with the issued EFA Identity Assertion. The EFA Provider uses its service certificate and key. The wsu:timestamp element, all WS-Addressing elements and the SOAP-Body element MUST be signed. The SOAP-Body element MUST be encrypted.<br />
<br />
===== WS-Security-Policy Example =====<br />
<syntaxhighlight lang="xml"><br />
<wsp:Policy wsu:Id="ServicePortBindingPolicy"><br />
<sp:AsymmetricBinding><br />
<wsp:Policy><br />
<sp:InitiatorToken><br />
<wsp:Policy><br />
<sp:IssuedToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"><br />
<sp:RequestSecurityTokenTemplate><br />
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><br />
<wst:KeySize>2048</wst:KeySize><br />
</sp:RequestSecurityTokenTemplate><br />
<wsp:Policy></wsp:Policy><br />
</sp:IssuedToken><br />
</wsp:Policy><br />
</sp:InitiatorToken><br />
<sp:RecipientToken><br />
<wsp:Policy><br />
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToInitiator"><br />
<wsp:Policy><sp:WssX509V3Token10 /></wsp:Policy><br />
</sp:X509Token><br />
</wsp:Policy><br />
</sp:RecipientToken><br />
<sp:AlgorithmSuite><wsp:Policy><sp:Basic256 /></wsp:Policy></sp:AlgorithmSuite><br />
<sp:Layout><wsp:Policy><sp:Strict /></wsp:Policy></sp:Layout><br />
<sp:IncludeTimestamp /><br />
<sp:OnlySignEntireHeadersAndBody /><br />
</wsp:Policy><br />
</sp:AsymmetricBinding><br />
<sp:Wss11><wsp:Policy></wsp:Policy></sp:Wss11><br />
<sp:Trust10><br />
<wsp:Policy><sp:MustSupportIssuedTokens /></wsp:Policy><br />
</sp:Trust10><br />
<wsap10:UsingAddressing /><br />
</wsp:Policy><br />
</syntaxhighlight><br />
<br />
==== WS-SecureConversation bootstrapped with SAML Issued Token ====<br />
The request message and the response message are signed and encrypted. Both the ECR requester and the EFA Provider use a symmetric Secure-Conversation-Token key. The Secure-Conversation-Token MUST reference the issued EFA Identity Assertion. The wsu:timestamp element, all WS-Addressing elements and the SOAP-Body element MUST be signed. The SOAP-Body element MUST be encrypted.<br />
<br />
=== Audit Trail ===<br />
<tt>Bitte markieren Sie [[cdaefa:Kommentierung_EFAv2.0|Kommentare]] zu diesem Abschnitt mit dem Code {EDesa.02.05.02}</tt><br />
<br />
Service consumer and service provider actors SHALL write an audit trail according to the [[cdaefa:EFA_Audit_Trail_Binding|EFAv2 Audit Trail Binding]].</div>Jcaumanns