8/2/2019 Belgium French Community (ETNIC)- SEcure eGovernment Services

1/2

ETNIC (Entreprise des Technologies Nouvelles de lInformation et de la

Communication), the Information Technology Agency of Belgium's French Community

(BFC) provides high quality solutions for the various public services of the BFC.Founded in 2002, ETNIC employs 150 IT specialists, and is annually allocated a budget

of 24 million.

BFC provides services relating to education, culture, research and training, health

(exclusively preventative medicine), assistance to young people, infrastructures,

sports and international relations. In this case, BCF tasked ETNIC with improving their

school student registration infrastructure.

eGovernment Services for Education

Much like any modernized education system, BFC had already undertaken to computerize as much of their

processes as possible. To that end, each school developed their own IT systems that featured applications written

using a diverse range of technologies (from Delphi to Java to Microsoft .Net and so on), while the BFC itself had

created centralized applications written in COBOL for their mainframe; Web Services written in Java and IBMsEnterprise Generation Language (EGL); links to Electronic Document Management (EDM) systems, and many

others. Because of the many disparate systems and actors, the registration process often devolved to sending

communications between stakeholders via paper documents and snail mail.

ETNIC knew that with so many diverse applications, a Service Oriented Architecture (SOA) approach would be the

best way to enable standards-based interoperability without requiring structural-level integration. ETNIC chose to

implement Layer 7s SecureSpan XML Gateway as the access point to the Servicemix Enterprise Service Bus (ESB)

from the open source Apache community. Because both SecureSpan and Servicemix support the industry standard

WS-* specifications, ETNIC could be assured of benefiting from all the advantages of SOA, including service reuse,

loose coupling and greater IT agility.

The architected solution called for ETNIC to expose Web services to requesters with the help of Layer 7s

SecureSpan Gateway. At runtime, SecureSpan processes incoming requests, applies an authentication and

authorization rule set defined in policy; queries databases to enrich the original request, and then invokes the

appropriate internal service via the ServiceMix ESB to construct a response formatted in accordance to the service

invoked.

Only one problem remained: establishing trust between the back-end and the myriad of clients deployed on all the

different platforms hosted throughout the school district. In order to maximize interoperability with local IT

standards, ETNIC enabled the possibility of authenticating eGovernment service requesters using the Belgium

electronic identity card (eID).

Balancing Security and Efficiency

In this model, the identity of the client-side service requester relies on government issued smart cards. But to

avoid the need for smart card access for each message exchange, ETNIC developed a client-side application called

WSGenCon (Web Services Generic Connector), which allowed for initial authentication of the identity to be

performed via a WS-Trust Request Security Token call to the SecureSpan Gateway. Using SSL mutual

authentication, SecureSpan authenticates the requesters identity and creates a WS-Secure Conversation session

with an associated shared secret key. The client-based WSGenCon relies on this session key for subsequent

exchanges, such as Web service invocation, without requiring further access to the requesters smart card. In order

to ensure a high security level, the key expires after a set amount of time, at which point WSGenCon negotiates a

new one. Using WS-Trust and WS-Secure Conversation in this way allows schools to make multiple student

registrations without constantly re-entering their beID PIN code, thereby maximizing system efficiency and

administrator productivity.

Belgium French Community (ETNIC)Securing eGovernment Education Services

ETNIC by the Numbers

Encompasses 3,500 schools

and 8,000 disparate clients

> 1,000,000 student

registrations

> 300 registrations per

second at peak

8/2/2019 Belgium French Community (ETNIC)- SEcure eGovernment Services

2/2

ETNIC Securing eGovernment Education Services

Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are

trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners 2

Security under the Hood

With each school implementing and maintaining their own IT systems, some schools necessarily have more (or

less) IT resources, budget and skills than others. The client-side WSGenCon service, in conjunction with the Layer 7

Gateway were key in ensuring all schools no matter their technical expertise could take advantage of the new

student registration system by hiding much of the complex security standards involved in the process.

For simple business requests, WSGenCon adds any of the WS-* stack stipulated in the security policy deployed on

the Layer 7 Gateway (such as WS-Addressing, WS-Security, WS-Trust and WS-Secure Conversation). WSGenCon

also handles the entire protocol layer (HTTP, HTTPS, SOAP, etc), as well as talking care of XML formatting. Each

schools local client application only needs to handle business concepts in its own format. The interaction between

WSGenCon and the Layer 7 Gateway encapsulates all the technical complexity, making the entire trust mechanism

completely transparent to the end-user, ensuring system usability and providing a simple way to secure

eGovernment service exchanges.

The Results

With ETNICs solution in place, communications between entities in the school registration process no longer have

to resort to manual, paper-based exchange of data, dramatically reducing errors in data entry and increasing

system efficiency. Within a school system that has more than 3,500 schools and a million students, even minor

gains in efficiency have a significant impact on the productivity of all administrators.

Going forward, changes to security requirements can be made quickly and simply in a single, central place: the

Layer 7 policy document, removing the burden from each schools IT team, which traditionally would need to

update their client systems to conform to the new requirements, test the changes, and redeploy the new client.

According to Anne Noseda from ETNICs support team, Layer 7 allows us to define complex security policies in a

graphical user-friendly way. Her colleague Sbastien Bal agreed with her: After a short period of adaptation, we

can now focus on security-related business logic requirements instead of their technical implementation. The

security policies are also easier to maintain.

Additionally, ETNIC now has a new addition to their library of freely available SOA artifacts that other projects can

leverage to reduce the cost and effort of their projects. For more information on WSGenCon (or any other ETNIC

project) visit the ETNIC website at http://www.etnic.be, or download source code directly at http://forge.etnic.be.