IGC Provider System Questionnaire

brickborderΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

126 εμφανίσεις






IGC
Provider
System Questionnaire

Short Title:


Date Questionnaire Sent to the IGC PMO:

Date IGC PMO Received Questionnaire:

Section A


Requestor Information

Functional POC

Name:


Title:


Phone:


Email:


Organization:



Technical POC

Name:


Titl
e:


Phone:


Email:


Organization:


Section B


IGC
Provider

System Questionnaire

Questions Related to Technical Environment Connectivity

1. Does the
provider
system have environments (Dev, Test, Stage, Prod) to support the
IGC Data Broker

development
lifecycle?


2. Are the environments in place and stable?


3. If yes, where is your system hosted
, per environment if they differ

(DISA DECC, commercial
environment, military installation, etc)?


4. If not on DISA network (e.g., Component network), doe
s the
provider

know the process and POCs for
gaining access to their servers on that network?


5. If your system is still in development or is operational, please attach a copy of your release schedule
showing major milestones such as IATC, ATC, IATO, AT
O, etc?


6. Please
select one

of the following preferred communication methods for
sending

the requested data:


__ SFTP or Secure File Gateway (SFG)

__
Web Services

__ JMS

__
MQ Series


Please complete the questions below
for the communication method sel
ected
.


6a. SFTP/SFG:


Please specify your SFTP Client and server software (vendor / version / patch level)?


What operating system will your SFTP client be hosted on?


Will you be using the standard SFTP port? If not please specify the port number.







Is
a push or pull of data required?

If data is
pulled from
you, the IGC
D
ata
B
roker will
initiate the
SFTP
transfer with
your server.

If you
push
data

to the IGC Data Broker
, you must initiate the SFTP transfer.


Do your developers have experience in succ
essfully configuring SFTP certificate based
key
authentication?

If yes, please briefly describe your experience.


If you desire a pull interface, you will be required to delete the files once you have retrieved them with SFTP.
Does your software support

this?


6b. Web Service Call:


Please select the appropriate configuration:


__
IGC Data Broker Hosted Web Service, i.e. you call a Web Service to retrieve your data

__
Provider

Hosted Web Service, i.e. the IGC data broker calls your Web Service to send t
he data.


Please complete the questions below as applicable for your selection:


Provider Hosted Web Service Call (by Broker to provider to push data)

Is the web service already developed?

If yes, please attach WSDL.


Do you enforce Web Services Security
(WSS) 1.0?


Select following policy assertions your Web Service enforces:



__ Timestamp


Enforce expiration? ___ Y ___ N



__ UsernameToken (note, IGC does not currently support sending password digests, only text)



__ Signature


R
equired signed SOAP message body? ___ Y ___ N



__ Encryption


Require encrypted SOAP message body? ___ Y ___ N



__ X509Authentication


Is your Web Service WS
-
I Basic Profile v1.1 compliant

(not SOAP 1.2 compliant)
?

If so, remove the bindin
g and port for SOAP 1.2 from the WSDL you attach.

If not, please select which version of SOAP you implement:


__
SOAP

1.1


__
SOAP

1.2







Does your Web Service check for SAML assertions?

Note that on behalf of client application, IGC Data Broker will add

a SAML assertion for the initial request
originator only.


Please
list
other Web Services standards

your Web Service enforces (i.e. WS Notification, SAML, etc)
.


What port does the service run on?


What application software hosts the service (vendor, prod
uct, version, OS)?


IGC Data Broker Hosted Web Service (by Broker; provider will pull data)

Can you support https over 443?


Do you have certificates available for entry in public keystore/LDAP?


Will you be using COTS or developed software to call the IGC

hosted Web Service?

If you will be using COTS, please specify the vendor, product, version, and OS.

If you will be using developed code, has this code already been developed and tested, what language is/will it
be implemented in, what operating system do
es it run on?


IGC Data Broker implements the following Web Services standards

(
note that standards are continuously
being considered and undergo an adoption process
)
:

-

SOAP 1.1

-

WS Security (WSS) 1.0

-

XML Digital Signature (XMLDigSig)

-

SAML


IGC Data

Broker enforces Web Services Security (WSS) 1.0.

Note the following policy assertions IGC Data Broker hosted Web Service enforces:


-

Timestamp (in seconds)


-

Signature (SOAP message body signed)


-

X.509 Authentication (Direct reference only)


Note t
hat IGC Data Broker Web Services are compliant with WS
-
I Basic Profile 1.1 and does not currently
support SOAP 1.2.
The IGC Data Broker Web Service will generate a SOAP Fault (indicating a Version
Mismatch) for each SOAP 1.2 request received.




For
develo
ped code please attach any design artifacts that might be useful in evaluation of this checklist.


6c.
Local
JMS
(consumer calls
IGC
Data
B
roker
-
hosted
JMS using external webMethods libraries like ALSB)


Please specify the environment running your JMS cli
ent (vendor, product, version, OS)?







Can your product suite use external libraries to perform JMS connections?


Is JMS approved by your organizations security office?


Do you have a certificate for entry in public keystore/LDAP
?


6d
.
Remote
JMS
(
IGC
Data
Broker

calls
consumer
-
hosted
JMS using
third party
libraries like ALSB

via
webMethods JMS Adapter
)


Please specify the environment
details
running your JMS
provider
(
IP/hostname, port
)?


Does your JMS provider use SSL for authentication?


Does your JMS c
lient support message encryption?


6e
.
Remote WebSphere/
MQ Series

(hosted by consumer)


Is MQ Series approved by your organizations security organization?


Please provide the
IP/hostname, port, and q
ueue name
, if available.


6f
.
Local WebSphere/
MQ Serie
s

(hosted by
IGC
Data
B
roker
)


IGC
Data
B
roker

WebSphere/MQ IP/hostname, port, and q
ueue name

will be communicated with your
technical POC.


7. Is the
provider
system developer experienced with the proposed communication method?


8. Is the proposed commu
nication method supported by approved ports, protocols, and service
boundaries?


9. Is the
provider

system able to support PKI encryption using DoD certificates (i.e., SSH key exchange
,
2
-
way SSL authentication, WSS X509 Authentication
)?


10. Is the
pro
vider

system developer experienced with PKI encryption using DoD certificates (i.e., SSH
key exchange
, 2
-
way SSL authentication, WSS X509 Authentication
)?


11. What is the lead time in your organization for submitting requests, gaining approval for, and
implementing firewall modifications?


12. What are the potential firewall/security issues
IGC Data Broker

ought to know in order to
successfully interface with the
provider

system?


13. What tools will the
provider

system use to connect to
IGC Data Bro
ker
?









Questions Related to Data Exchange

1
4
. What is the type of data exchange (i.e., batch or near real
-
time)?



15. What is the data exchange frequency (i.e., one time/per day, near real
-
time query, etc)?

1
6
. What is the data exchange size?

17
. W
hat is the data file format (i.e., XML, flat file, etc)?

18
. What is the estimated volume of data exchange per batch file/near real
-
time query?



1
9
. How many fi l e s are i nvol ve d i n e ach data e xchange (i.e., two


backorde r and re qui s i ti on s tatus
data)?

20. How l ong
i s data re tai ne d for i mme di ate
re pl ay

(1 day, 7 days, othe r)
?

21.
What i s the re te nti on pe ri od of archi ve d data
(
6 months, 1 ye ar, 5 ye ars, othe r
)?

22.
If IDE re qui re s re pl ay of archi ve d data, h
ow l ong
woul d i t typi cal l y
take
to
re tri e ve

the
archi ve
d

data

and make i t avai l abl e for re pl ay?

2
3
.
Attache d i s a l i s t of the cons ume r s ys te m’s data e l e me nt re qui re me nt. Re vi e w the l i s t and i ndi cate
whi ch data e l e me nts you are abl e to provi de.


2
4
. Othe r Comme nts: