US Federal Agency GSA bets huge on Open Source

Open source 'reduces risk,' federal agency's CIO says

The agency uses a laundry list of great open-source software--initially for its information systems but also increasingly for transactional mission-critical systems--such as JBoss, Linux (Red Hat), Bugzilla (bug tracking), JUnit (testing), JMeter (Apache performance monitoring tool), Eclipse, KnowledgeTree (content management), and others.

The use of Open Source in the government sector is not a surprising news, given the fact that OSS can either match or exceed the functionalities of commercial closed-source software.

This news kind of coincided with my decision to participate in an Identity Management Workshop at the prestigious NIST on April 30th, 2008. I will be speaking on Oasis Standards SAML and XACML.

References:
http://www.gcn.com/blogs/tech/46132.html
http://www.linuxtoday.com/news_story.php3?ltsn=2008-04-17-018-26-NW-SW-PB

Summary Review: Oasis XACML Interoperability Event at the RSA Conference 2008

Now that the RSA Conference 2008 has finished in San Francisco, I would like to take some time to inform you about the grand success of the Oasis XACML Interoperability event with JBoss/RedHat and other interoperability participants namely BEA Systems, IBM, Oracle, Sun, Axiomatics, Cisco and Department of Veteran Affairs.

Information from the Oasis site is here.

The press release for the event from Oasis is here.

The code that has undergone two successful consecutive Oasis XACML Interoperability Event will be soon (matter of days) as JBossXACML v2.0.2.GA. The pending item is some documentation on usage. This library will also be included in the JBoss AS 5.0 to provide xacml capabilities.

References:
1) PolicySets used in the interop.
2) Tests used for the interop.

Details:
In a nutshell, XACML is a language focused solely on Access Control. All it does is Access Control and nothing else. Given this, at the interoperability event, the VA folks came out with health care scenarios associated with Patient Privacy. There are HL7 Confidentiality Codes that can be associated with Patient medical records.

Let me give some examples:
1) Your neighbor is a doctor and is snoopy in nature. You certainly do not want him to have access to your medical records. Would you? As a patient, you can associate the UBA confidentiality code with a list of doctors that you do not want to have access to your records (dissent list).
2) A patient arrives at a facility in an emergency. The providers do not have access to the patient records that is housed at another facility. They can trigger an "emergency override" to get access to the records. Shouldn't they in an emergency?
3) A patient can decide to mask a portion of his medical records (eg. radiology tests ' results) from a list of providers.

The VA developed an excellent application that had a decent GUI and in the background, it interacted with its own PIP (Policy Information Point) to derive the attributes needed to create the XACML requests. Once the xacml requests were generated (based on the application interaction), then they were passed to the PDP (Policy Decision Point) of the vendors.

Summary:
A simulated health care application with real medical records' data that was driven by xacml based use cases.

Additional References:
Oasis XACML Interoperability Document Bundle
^^^^^ (VERY IMPORTANT RESOURCE) ^^^^

Samples:
The following are examples of SAML2 payload carrying XACML request/responses.

Here is a sample of the request coming from the health care web application to back end PDP.

<?xml version="1.0" encoding="UTF-8"?>
<samlp:RequestAbstract Destination="destination-uri" 
ID="s2846efb514a944cc3dc5b65ed8a76dde449787617" 
IssueInstant="2008-03-19T22:18:42Z" Version="2.0" 
xacml-samlp:InputContextOnly="true" xacml-samlp:ReturnContext="true" 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:xacml-samlp="urn:oasis:xacml:2.0:saml:protocol:schema:os" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:type="xacml-samlp:XACMLAuthzDecisionQueryType">
<saml:Issuer 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">vaPepEntity</saml:Issuer>
<xacml-context:Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" 
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os 
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">


<xacml-context:Subject>
<xacml-context:Attribute 
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>Dr. Alice</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:subject:hl7:permission" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-006
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-009
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-017
</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Subject>

<xacml-context:Resource>
<xacml-context:Attribute 
AttributeId="urn:oasis:names:tc:xacml:1.0:resource: resource-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>Anthony Gurrola</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:permission" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-003
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-005
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-006
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-009
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-010
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-012
</xacml-context:AttributeValue>
<xacml-context:AttributeValue>urn:va:xacml:2.0:interop:rsa8:hl7:prd-017
</xacml-context:AttributeValue>
</xacml-context:Attribute>

<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:confidentiality-code" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>xxx-DummyConfCode</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:dissented-subject-id" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>Dr. Alice</xacml-context:AttributeValue>
</xacml-context:Attribute>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:resource:hl7:type" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>
urn:va:xacml:2.0:interop:rsa8:resource:hl7:medical-record</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Resource>
<xacml-context:Action/>
<xacml-context:Environment>
<xacml-context:Attribute 
AttributeId="urn:va:xacml:2.0:interop:rsa8:environment:locality" 
DataType="http://www.w3.org/2001/XMLSchema#string">
<xacml-context:AttributeValue>Facility A</xacml-context:AttributeValue>
</xacml-context:Attribute>
</xacml-context:Environment>
</xacml-context:Request>
</samlp:RequestAbstract>

Now a sample of a response (which does include the xacml request for which the response is)

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
ID="response-id:1" Version="2.0" 
IssueInstant="2008-03-19T22:17:13Z">
<samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:xacml:1.0:status:ok">
</samlp:StatusCode>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" 
Version="2.0" ID="response-id:1" IssueInstant="2008-03-19T22:17:13Z">
<saml:Issuer>issuer-1</saml:Issuer>
<saml:Statement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"  
xsi:type="xacml-samlp:XACMLAuthzDecisionStatementType" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   
xmlns:xacml-samlp="urn:oasis:xacml:2.0:saml:protocol:schema:os"
xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:saml:assertion:schema:os" >
<xacml-context:Response xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" >
<xacml-context:Result >
<xacml-context:Decision>Permit</xacml-context:Decision>
<xacml-context:Status>
<xacml-context:StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"></xacml-context:StatusCode>
<xacml-context:StatusMessage>ok</xacml-context:StatusMessage> 
</xacml-context:Status>
<xacml:Obligations  xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >
<xacml:Obligation ObligationId="obligation-10" FulfillOn="Permit">
</xacml:Obligation>
<xacml:Obligation ObligationId="obligation-20" FulfillOn="Permit">
<xacml:AttributeAssignment AttributeId="a-120" 
DataType="http://www.w3.org/2001/XMLSchema#string" 
xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"/>
</xacml:Obligation>
</xacml:Obligations>
</xacml-context:Result>
</xacml-context:Response>

<xacml-context:Request xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"  
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance/" 
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:context:schema:os 
http://docs.oasis-open.org/xacml/access_control-xacml-2.0-context-schema-os.xsd">
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>100001</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:va:names:xacml:2.0:subject:role" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>Chief Resident</AttributeValue>
<AttributeValue>Doctor</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:va:names:xacml:2.0:subject:hl7permission" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>PRD-017</AttributeValue>
<AttributeValue>PRD-003</AttributeValue>
<AttributeValue>PRD-010</AttributeValue>
<AttributeValue>PRD-006</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:va:names:xacml:2.0:subject:locality" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>Facility A</AttributeValue>
</Attribute>
</Subject>
<xacml-context:Resource>
<Attribute AttributeId="urn:va:names:xacml:2.0:record_type" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>patientchart</AttributeValue>
</Attribute>
</xacml-context:Resource>
<xacml-context:Action>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" 
DataType="http://www.w3.org/2001/XMLSchema#string" >
<AttributeValue>read</AttributeValue>
</Attribute>
</xacml-context:Action>
<xacml-context:Environment></xacml-context:Environment>
</xacml-context:Request>

</saml:Statement>
</saml:Assertion>
</samlp:Response> 

Reference:
Oasis XACML Interoperability (RSA Conference 2008)

NOTE:If you need additional info, do not hesistate to email me at "asaldhan at redhat dot com" <======

JBossXACML v2.0.2.GA released

Note: JBossXACML v2.0.3.CR1 is here. <=======

After a very successful interoperability at the Oasis XACML Interoperability event at the RSA Conference 2008, I released the v2.0.2.GA libraries of JBossXACML. The JIRA issue is SECURITY-193.

What should be expected in 2.0.2.GA libraries?
1) Oasis XACML v2.0 core.
2) SOAP v1.1/SAML2.0Payload carrying XACML requests/response capabilities (Using OpenSAML v2.0).
- We will have packaged servlets for usage. :)
3) JAXB v2.0 Object Model to deal with policies, requests etc (if not interested in dealing with xml).

Stay tuned.

Additionally, as part of the Open Console or Embedded Console of JBoss AS5, we should have a decent free xacml editor to create policy sets (in the works now).

Where should I look for the files to download?
http://www.jboss.org/jbosssecurity/download/index.html

Information:
Wiki: http://wiki.jboss.org/wiki/JBossXACML

My appreciation to Marcus Moyses for all the help he rendered during the pre-interop preparation. Marcus is leading our xacml console effort.

Testimonials

April 24, 2008

The demo is now operational, so no code changes are necessary at the moment. We started from a commercial product that did not meet expectations. In fourteen days effort we were able to retarget and deliver using JBossXACML, mainly by closely following the JBossXACML test cases. I am very happy we discovered the alternative, and it is much more robust than the commercial alternative. Well done!

UPDATE: November 16, 2008
I know that many folks out there in the community and the industry are making use of JBossXACML. I would really like to know if JBossXACML has been useful to you. So please drop me a note at (Anil dot Saldhana at redhat dot com) if you find JBossXACML useful. When people find OSS projects useful, it gives its developers satisfaction. CHEERS!!!