Securing eGovernment education services
ETNIC (Entreprise des Technologies Nouvelles de l’Information et de la Communication), the Information Technology Agency of Belgium's French Community (BFC) provides high quality solutions for the various public services of the BFC. Founded in 2002, ETNIC employs 150 IT specialists, and is annually allocated a budget of €24 million.
BFC provides services relating to education, culture, research and training, health (exclusively preventative medicine), assistance to young people, infrastructures, sports and international relations. In this case, BCF tasked ETNIC with improving their school student registration infrastructure.
ETNIC by the Numbers
- Encompasses 3,500 schools and 8,000 disparate clients
- > 1,000,000 student registrations
- > 300 registrations per second at peak
Much like any modernized education system, BFC had already undertaken to computerize as much of their processes as possible. To that end, each school developed their own IT systems that featured applications written using a diverse range of technologies (from Delphi to Java to Microsoft .Net and so on), while the BFC itself had created centralized applications written in COBOL for their mainframe; Web Services written in Java and IBM’s Enterprise Generation Language (EGL); links to Electronic Document Management (EDM) systems, and many others. Because of the many disparate systems and actors, the registration process often devolved to sending communications between stakeholders via paper documents and snail mail.
ETNIC knew that with so many diverse applications, a Service Oriented Architecture (SOA) approach would be the best way to enable standards-based interoperability without requiring structural-level integration. ETNIC chose to implement Layer 7’s SecureSpan SOA Gateway as the access point to the Servicemix Enterprise Service Bus (ESB) from the open source Apache community. Because both SecureSpan and Servicemix support the industry standard WS-* specifications, ETNIC could be assured of benefiting from all the advantages of SOA, including service reuse, loose coupling and greater IT agility.
The architected solution called for ETNIC to expose Web services to requesters with the help of Layer 7’s SecureSpan SOA Gateway. At runtime, SecureSpan processes incoming requests, applies an authentication and authorization rule set defined in policy; queries databases to enrich the original request, and then invokes the appropriate internal service via the ServiceMix ESB to construct a response formatted in accordance to the service invoked.
Only one problem remained: establishing trust between the back-end and the myriad of clients deployed on all the different platforms hosted throughout the school district. In order to maximize interoperability with local IT standards, ETNIC enabled the possibility of authenticating eGovernment service requesters using the Belgium electronic identity card (eID).
In this model, the identity of the client-side service requester relies on government issued smart cards. But to avoid the need for smart card access for each message exchange, ETNIC developed a client-side application called “WSGenCon” (Web Services Generic Connector), which allowed for initial authentication of the identity to be performed via a WS-Trust Request Security Token call to the SecureSpan Gateway. Using SSL mutual authentication, SecureSpan authenticates the requester’s identity and creates a WS-Secure Conversation session with an associated shared secret key. The client-based WSGenCon relies on this session key for subsequent exchanges, such as Web service invocation, without requiring further access to the requester’s smart card. In order to ensure a high security level, the key expires after a set amount of time, at which point WSGenCon negotiates a new one. Using WS-Trust and WS-Secure Conversation in this way allows schools to make multiple student registrations without constantly re-entering their beID PIN code, thereby maximizing system efficiency and administrator productivity.
With each school implementing and maintaining their own IT systems, some schools necessarily have more (or less) IT resources, budget and skills than others. The client-side WSGenCon service, in conjunction with the Layer 7 Gateway were key in ensuring all schools – no matter their technical expertise – could take advantage of the new student registration system by hiding much of the complex security standards involved in the process.
For simple business requests, WSGenCon adds any of the WS-* stack stipulated in the security policy deployed on the Layer 7 Gateway (such as WS-Addressing, WS-Security, WS-Trust and WS-Secure Conversation). WSGenCon also handles the entire protocol layer (HTTP, HTTPS, SOAP, etc), as well as talking care of XML formatting. Each school’s local client application only needs to handle business concepts in its own format. The interaction between WSGenCon and the Layer 7 SOA Gateway encapsulates all the technical complexity, making the entire trust mechanism completely transparent to the end-user, ensuring system usability and providing a simple way to secure eGovernment service exchanges.
With ETNIC’s solution in place, communications between entities in the school registration process no longer have to resort to manual, paper-based exchange of data, dramatically reducing errors in data entry and increasing system efficiency. Within a school system that has more than 3,500 schools and a million students, even minor gains in efficiency have a significant impact on the productivity of all administrators.
Going forward, changes to security requirements can be made quickly and simply in a single, central place: the Layer 7 policy document, removing the burden from each school’s IT team, which traditionally would need to update their client systems to conform to the new requirements, test the changes, and redeploy the new client.
According to Anne Noseda from ETNIC’s support team, “Layer 7 allows us to define complex security policies in a graphical user-friendly way.” Her colleague Sébastien Bal agreed with her: “After a short period of adaptation, we can now focus on security-related business logic requirements instead of their technical implementation. The security policies are also easier to maintain.”
Additionally, ETNIC now has a new addition to their library of freely available SOA artifacts that other projects can leverage to reduce the cost and effort of their projects. For more information on WSGenCon (or any other ETNIC project) visit the ETNIC website at http://www.etnic.be, or download source code directly at http://forge.etnic.be.