Lutz Suhrbier1, Ekaterina Langer1, Anton Güntsch2, Markus Döring2 & Walter G. Berendsohn2
1 Networked Information Systems, Department of Mathematics and Computer Science, Freie Universität Berlin, Takustr. 9, 14195 Berlin, Germany
2 Department of Biodiversity Informatics, Botanic Garden and Botanical Museum Berlin-Dahlem, Koenigin-Luise-Str. 6-8, 14191 Berlin, Germany
Our task within the projects SYNTHESYS and GBIF-D is the development of authentication services for system access in the BioCASe/GBIF context, so that restricted data access can be granted to appropriate end-users using the same infrastructure as used for general access. The task includes the specification of appropriate rights, their attribution to partners and their further management.
Our solution introduces an application level firewall into the BioCASE scenario which is logically located between data providers and clients. This firewall processes on requests and responses of the BioCASE protocol. The firewall may constrain the execution of BioCASE protocol methods as well as the (partial) delivery of queried documents. Therefore, it incorporates client authentication, role assignment of authenticated clients and the enforcement of access rights. The authentication component implements the SSL protocol and is therefore founded on a X.509 based Public Key Infrastructure (PKI). The installation of those PKIs will be supported through a script driven implementation of OpenSSL-based certification authorities. Role assignment and access rights enforcement are expressed as XACML policies. For policy management purposes an appropriate administration tool will be provided. Firewall and administration tool are realised as Java applications using Sun’s XACML implementation.
We acknowledge support by the European Union (SYNTHESYS project) and the Federal Ministry of Education and Research (GBIF-D project) for the development of the security services.