Security

From SDMX2 Global Registry Documentation
Jump to: navigation, search

Security

The nature of the Global Registry is that the Structures deployed within in it are open to be viewed and browsed by anyone. There is no restriction on access and there is no concept of allowing different users to view different types of data.

This does not mean that the Global Registry is without security. Only authenticated users can create, modify or delete structures in the Global Registry. An authenticated user is further limited to only being able to modify Structures within the Agency to which the user is permitted to do so.


HTTPS

The Global Registry is running on a server on which HTTPS has been enabled. The HTTPS protocol ensures that a Website being accessed is authentic and operated by a legitimate entity. It achieves this through the use of a certificate which is registered with a trusted certificate authority. Only users that wish to modify or create data need to access the Global Registry via HTTPS.

IMPORTANT NOTE: Currently the security certificate within the Global Registry has not been registered with a trusted certificate authority. This means that users navigating to https://test.sdmxregistry.org will be presented with a warning page (the exact nature of this page is browser dependant) informing the User that the website is attempting to setup a secure connection, but has not been trusted by a certificate authority. The user will have to accept this to obtain secured access to the Global Registry. This will not be the case once the Global Registry goes live.

Security is handled using Basic Access Authentication. This means that a user simply has to supply a userid and password to be able to log into the Global Registry. The userid and password are encrypted by the HTTPS protocol, which ensures that communications between the User and the Global Registry Website cannot be read or forged by a third party. So the use of HTTPS protects against:

  • eavesdropping of communications between the client and server,
  • tampering with the messages
  • forging the contents of the communication.
  • man-in-the-middle attacks


Application to Application Security

It is possible to write an application to create, modify or delete the Global Registry Structures. To achieve this the application is going to need to be trusted by the Global Registry and this will involve the use of certificates.

The site that is hosting the application is going to need to generate a certificate and pass the public certificate to the Global Registry Administrator. The Global Registry Administrator will then add this key to the internal truststore. The Global Registry will now trust HTTPS communication from the server defined within that certificate and accept submission and modification requests.

If you wish to configure an application to modify the Global Registry contents, then please get in touch with the Global Registry Administrator.