90. Definition: Core Enterprise Services (CES) provide generic, domain independent, technical functionality that enables or facilitates the operation and use of Information Technology (IT) resources.
91. CES will be broken up further into:
Infrastructure Services (incl. Information Assurance (IA) services)
Service Oriented Architecture (SOA) Platform Services
Enterprise Support Services
92. Definition: Infrastructure Services provide software resources required to host services in a distributed and federated environment. They include computing, storage and high-level networking capabilities that can be used as the foundation for data centre or cloud computing implementations.
93. To provide federated services the standards listed in Table Table D.6 should be adhered to.
ID: Service/Purpose | Standards | Implementation Guidance |
---|---|---|
1: Distributed Time Services: Time synchronization |
To aid rapid post event reconstruction, ALL networked equipment will be set to process time as Coordinated Universal Time (UTC). i.e. ZULU Time Zone should apply to the whole Mission Network [AMN TPT CES Sept 2011]. |
All new capabilities shall use NTPv4. Some legacy systems may still need to use NTPv3. TCN connecting to the AMN Core must use the time service of the AMN Core. A stratum-1 time server is directly linked (not over a network path) to a reliable source of UTC time (Universal Time Coordinate) such as GPS, WWV, or CDMA transmissions through a modem connection, satellite, or radio. Stratum-1 devices must implement IPv4 and IPv6 so that they can be used as timeservers for IPv4 and IPv6 Mission Network Elements The W32Time service on all Windows Domain Controllers is to synchronize time through the Domain hierarchy (NT5DS type). Databases are to implement TIMESTAMP as specified in point 4 below |
2: Domain Name Services: Naming and Addressing |
|
|
3: Identification and addressing of objects on the network. |
|
Namespaces within XML documents shall use unique URLs or URIs for the namespace designation. |
4: Infrastructure Storage Services: storing and accessing information about the time of events and transactions |
Databases shall stores date and time values everything in TIMESTAMP WITH TIME ZONE or TIMESTAMPTZ |
As the AMN user community spans several time zones, applications will increasingly need to conduct transactions across different time zones. Timestamps are essential for auditing purposes. It is important that the integrity of timestamps is maintained across all Mission Network Elements. From Oracle 9i, PostgreSQL 7.3 and MS SQL Server 2008 onwards, the time zone can be stored with the time directly by using the TIMESTAMP WITH TIME ZONE (Oracle, PostgreSQL) or datetimeoffset (MS-SQL) data types. On the AMN, human interfaces may convert the time for display to the user as (e.g.) D30 (i.e. Local) as required. See also Table D.15 for details on representing time within applications |
5: Infrastructure IA Services: Facilitate the access and authorization between users and services.
Directory access and management service |
|
There are three options available to a Troop Contributing Nation (TCN) when joining their national network extension to the AMN: 1. Join the ISAF SECRET AD forest on AMN Core 2. Join the AD forest of an existing AMN TCN 3. Create own AD forest for the new AMN TCN (Option 1 and 2 should be considered by the prospective Joining TCN before Option 3). Whilst LDAP is a vendor independent standard, in practice Microsoft Active Directory (AD) is a common product providing directory services on national and NATO owned Mission Network elements. It should be noted that AD provides additional services aside from LDAP like functionality. Note: Active Directory Federation Services (ADFS) will not be used on the AMN. The AMN is one logical network based on mutual trust. In such a trusted environment there is no requirement or use case for single sign on for webservices. In those cases where an outside or untrusted subdomain of a Nationally implemented Network desires access to webservices on the AMN, then those services will be granted using "local accounts created on the parent (AMN) domain. |
6: Infrastructure IA Services: Digital Certificate Services |
|
Note: on the AMN, PKI is only used for authentication (encryption of login). It is not used for the encryption of the entire session[a]. |
7: Infrastructure IA Services: Authentication Services |
|
|
8: Infrastructure Processing (Operating System) Services |
Operating Systems used on the AMN must be accredited by the respective Security Accreditation Authority. As a minimum the Operating Systems should support the specifications for the above (Infrastructure IA Services). |
Clients on the AMN Core and Option 1 TCN National Network Extensions are strongly advised to use Windows 7 Enterprise due to the mid-2014 End of Support provision by Microsoft for Windows XP. Win 7 Enterprise was selected due to the inclusion of AppLocker (remote enforcement of application control policies) and integration with Sharepoint 2010 and MS Office Professional Plus 2010. Windows 2008 R2 Standard Full Edition 64 bit is strongly advised for all Domain Controllers. Note Service Pack SP1 should be installed |
[a] If PKI was used for the encryption of the entire session then this would create a flurry of un-monitorable traffic across the AMN. This would then lead to Certificate Proxy Services in order to once again see the traffic, and this would lead to a significant slow-down in information flow – which would have impacts in an operation that requires real time information flows. |
94. Definition: SOA Platform Services provide a foundation to implement web-based services in a loosely coupled environment, where flexible and agile service orchestration is a requirement. They offer generic building blocks for SOA implementation (e.g. discovery, message busses, orchestration, information abstraction and access, etc.) and can be used as a capability integration platform in a heterogeneous service-provisioning ecosystem.
95. To provide federated services the standards listed in Table D.7 should be adhered to.
ID: Service/Purpose | Standards | Implementation Guidance |
---|---|---|
1: Web Platform Services |
|
HTTP shall be used as the transport protocol for information without 'need-to-know' caveats between all service providers and consumers (unsecured HTTP traffic). HTTPS shall be used as the transport protocol between all service providers and consumers to ensure Confidentiality requirements (secured HTTP traffic). Unsecured and secured HTTP traffic shall share the same port. |
2: Publishing information including text, multimedia, hyperlink features, scripting languages and style sheets on the network |
|
|
3: Providing a common style sheet language for describing presentation semantics (that is, the look and formatting) of documents written in mark-up languages like HTML. |
|
|
4: General formatting of information for sharing or exchange. |
|
XML shall be used for data exchange to satisfy those IERs on the AMN that are not addressed by a specific information exchange standard. XML Schemas and namespaces are required for all XML documents. |
5: Providing web content or web feeds for syndication to web sites as well as directly to user agents. |
|
|
6: Encoding of location as part of web feeds |
|
GML allows you to specify a coordinate reference system (CRS) other than WGS84 decimal degrees (think lat/long). If there is a need to express geography in a CRS other than WGS84, it is recommended to specify the geographic object multiple times, one in WGS84 and the others in your other desired CRSes. Please also see Table D.10 Regarding Coordinate Reference Systems Schema location for GeoRSS GML Profile 1.0: http://geo rss.org /xml/1.0/gmlgeorss.xsd |
7: Message Security for web services |
|
Specifies how integrity and confidentiality can be enforced on messages and allows the communication of various security token formats, such as SAML, Kerberos, and X.509v3. Its main focus is the use of XML Signature and XML Encryption to provide end-to-end security. Specifies a process for encrypting data and representing the result in XML. Referenced by WS-Security specification. Specifies XML digital signature processing rules and syntax. Referenced by WS-Security specification |
8: Security token format |
|
Provides XML-based syntax to describe uses security tokens containing assertions to pass information about a principal (usually an end-user) between an identity provider and a web service. Describes how to use SAML security tokens with WS-Security specification. |
9: Security token issuing |
|
Uses WS-Security base mechanisms and defines additional primitives and extensions for security token exchange to enable the issuance and dissemination of credentials within different trust domains. Extends WS-Trust to allow federation of different security realms. Used to describe what aspects of the federation framework are required/supported by federation participants and that this information is used to determine the appropriate communication options. |
10: Transforming XML documents into other XML documents |
|
Developer best practice for the translation of XML based documents into other formats or schemas. |
11: Configuration management of structured data standards, service descriptions and other structured metadata. |
|
Used as foundation for setup, maintenance and interaction with a (AMN) Metadata Registry and Repository for sharing and configuration management of XML metadata. Also enables federation among metadata registries/ repositories. |
12: Exchanging structured information in a decentralized, distributed environment via web services |
|
The preferred method for implementing web-services are SOAP, however, there are many use cases (mash-ups etc.) where a REST based interface is easier to implement and sufficient to meet the IERs. Restful services support HTTP caching, if the data the Web service returns is not altered frequently and not dynamic in nature. REST is particularly useful for restricted-profile devices such as mobile phones and tablets for which the overhead of additional parameters like headers and other SOAP elements are less. |
13: Secure exchange of data objects and documents across multiple security domains | The Draft X-Labels syntax definition is called the "NATO Profile for the XML “Confidentiality Label Syntax" and is based on version 1.0 of the RTG-031 proposed XML confidentiality label syntax, see "Sharing of information across communities of interest and across security domains with object level protection" below. | |
14: Topic based publish / subscribe web services communication |
|
Enable topic based subscriptions for web service notifications, with extensible filter mechanism and support for message brokers. |
15: Providing transport-neutral mechanisms to address web services |
|
Provides transport-neutral mechanisms to address Web services and messages which is crucial in providing end-to- message level security, reliable messaging or publish / subscribe based web services end. |
16: Reliable messaging for web services |
|
Describes a protocol that allows messages to be transferred reliably between nodes implementing this protocol in the presence of software component, system, or network failures. |
[a] This specification is subject to the following copyright: (c) 2001-2006 BEA Systems, Inc., BMC Software, CA, Inc., International Business Machines Corporation, Layer 7 Technologies, Microsoft Corporation, Inc., Novell, Inc. and VeriSign, Inc. All rights reserve. |
96. Definition: Enterprise Support Services are a set of Community Of Interest (COI) independent services that must be available to all members within the AMN. Enterprise Support Services facilitate other service and data providers on the federated networks by providing and managing underlying capabilities to facilitate collaboration and information management for end-users.
97. For the purposes of this Volume, Enterprise Support Services will be broken up further into:
Unified Communication and Collaboration Services
Information Management Services
Geospatial Services
98. Definition: Unified Communication and Collaboration Services provide users with a range of interoperable collaboration capabilities, based on standards that fulfill operational requirements. They will enable real-time situational updates to time-critical planning activities between coalition partners, communities of interest (e.g. the Intel community or the Logistics community), and other agencies. Levels of collaboration include awareness, shared information, coordination and joint product development.
99. Different use cases require different levels of protection of these communication and collaboration services. For voice or audio-based collaboration services, the AMN profile can provide interoperability standards for two different scenarios:
A. Voice over Secure IP (VoSIP) network services
B. Network agnostic Secure Voice Services (such as 3G, IP/4G, ISDN)
100. On AMN, VoSIP is mandatory. If however network agnostic Secure Voice services are required in addition to VoSIP[2], then Secure Communications Interoperability Protocol (SCIP) specifications as defined for audio-based collaboration services (end-to-end protected voice) over any network should be used[3]. [Note this has been included due to the emerging requirements regarding Operation Resolute Support (i.e. from Jan 2015, post ISAF)]
101. For text-based collaboration there is also a basic profile sufficient for operating this service with reduced protection requirements as well as an enhanced XMPP profile that includes additional security mechanisms.
102. To provide federated services the standards listed in Table D.8 should be adhered to.
ID: Service/Purpose | Standards | Implementation Guidance |
---|---|---|
1: Video-based Collaboration Services (VTC) |
|
AMN VTC over IP is based on a QoS-Enabled Net- work Infrastructure (QENI) using Diffserve. The AMN-Wide allowed interconnections are: A) Peer to Peer, B) Peer to MCU and C) Peer to MCU to MCU to Peer |
2: Audio-based Collaboration Services |
|
VoSIP refers to non-protected voice service running on a classified IP network (as in the case of the AMN). All numbers (calling and called) passed over the NIP consist of 13 digits irrespective of the networks involved. The 13-digits consist of a 6 digit prefix and a 7-digit subscriber number. A TCN must be prepared to pass these 13 digits over the NIP. By default the subscriber number should be taken from STANAG 5046 Voice Sampling Interval between Voice packets: 40ms RTP protocol ports 16384 and/or 16385 See also detailed Interface Control Document for "Voice over Secure IP (VoSIP) Network Service" [THALES ICD 61935771-558 A Jul 2009]. |
3: Audio-based Collaboration Services (end-to-end protected voice) (Secure Communications Interoperability Protocol. SCIP) |
|
Secure voice services over any network. V.150.1 support must be end-to-end supported by unclassified voice network SCIP-214 only applies to gateways Note that SCIP-216 requires universal implementation. |
4: Informal messaging services (e-mail) |
|
Conditional: messages must be labelled in the message header field “Keywords” (RFC 2822) according to the following convention:
Where:
Example:
|
5: Content encapsulation within bodies of internet messages | Multipurpose Internet Mail Extensions (MIME) specification:
|
10 MB max message size limit
Minimum Content-Transfer-Encoding:
Minimum set of media and content-types:
|
6: text-based collaboration services |
|
Near-real time text-based group collaboration capability for time critical reporting and decision making in military operations. |
6.1: text-based collaboration services (basic XMPP profile) |
|
IETF RFC 6120 supersedes IETF RFC 3920
IETF RFC 6121 XMPP IM supersedes IETF RFC 3921 |
6.2: text-based collaboration services (enhanced XMPP profile). |
|
Developers are also advised to consult the following IETF RFCs:
|
103. Definition: Information Management Services provide technical services "...to direct and support the handling of information throughout its life-cycle ensuring it becomes the right information in the right form and of adequate quality to satisfy the demands of an organization." These services support organizations, groups, individuals and other technical services with capabilities to organize, store and retrieve information (in any format, structured or unstructured) through services and managed processes, governed by policies, directives, standards, profiles and guidelines.
104. To provide federated services the standards listed in Table D.9 should be adhered to. Additionally all information should be labelled with the minimum metadata set by ISAF
ID: Service/Purpose | Standards | Implementation Guidance |
---|---|---|
1: Enterprise Search Services: Automated information resource discover, information extraction and interchange of metadata |
|
ISO 15836:2009 does not define implementation detail. This profile requires a subset of metadata with UTF8 character encoding as defined in the NATO Discovery Metadata Specification (NDMS) – see The technical implementation specifications are part of the TIDE Transformational Baseline v3.0, however, Query-by-Example (QBE), has been deprecated with the TIDE Information Discovery specs v2.3.0 and replaced by SPARQL. The TIDE community is evaluating OpenSearch for potential inclusion into the TIDE Information Discovery specifications. On the AMN CORE a commercial product called FAST ESP is being used to generate search indexes. This product could act as an OpenSearch "slave", but re- quires adaptation to this Open Standard but only using HTTP. For automated information discovery across the AMN all potential information sources must provide this standard search interface in order to allow tools like FAST ESP to discover relevant information. |
2: Enterprise Search Services: manual information resource discovery, classification marking and file naming conventions |
|
|
3: Enterprise Support Guard Services: General definition of Security and confidentiality metadata |
|
Services and applications shall implement object level labelling in order to support cross-domain information exchange using common enterprise Support Guard Services (e.g. Cross-Domain Solutions or Information Exchange Gateways) |
[a] NC3A TN-1455 is the NATO profile of NO-FFI 00962. [b] NC3A TN-1456 is the NATO profile of NO-FFI 00961. |
105. Definition: Geospatial Services deliver network-based access to quality raster, vector and terrain data, available in varying degrees of format and complexity. Geospatial Services form a distinct class of information services through their unique requirements for collecting, converting, storing, retrieving, processing, analyzing, creating, and displaying geographic data. The generic nature of Geospatial Services - "organizing information by location" - is interdisciplinary and not specific to any Community of Interest (COI) or application.
106. To provide federated services the standards listed in Table D.10 should be adhered to.
ID: Service/Purpose | Standards | Implementation Guidance |
---|---|---|
1: Geospatial Coordinate Services: identifying Coordinate Reference Systems (CRS) |
|
The European Petrol Survey Group maintains the most comprehensive and accurate register of international geodetic codes and parameters for CRS. To identify the CRS for the exchange of geospatial data a standard naming convention and reference repository is required. |
2: GeoWeb Service Interface to GIS Servers |
|
There are implementations of the Open Esri GeoServices REST specification from various other vendors. The REST API may be used for an easier to implement and rich interface to the server side GIS capabilities. Functional Services that support this interface may take advantage of this interface. |
3: Geo-Analytical Functionality as a Service |
|
Instead of retrieving all required spatial data in order to analyze it in a fat client, clients are encouraged to invoke the analytical processes where the data resides so that only the analytic result needs to be transmitted from the server to the client. |
4: 3D Perspective Viewer as a GeoWeb-Service |
|
Nil |
5: Geodetic and geophysical model of the Earth. |
|
|
6: Electronic format for medium resolution terrain elevation data. |
|
Used to support line-of-sight analyzes, terrain profiling, 3D terrain visualization, mission planning/rehearsal, and modelling and simulation. |
7: Services to publish geospatial data as maps rendered in raster image formats |
|
WMTS are to be provided as a complimentary service to WMS to ease access to users operating in bandwidth constraint environments. WMTS trades the flexibility of custom map rendering for the scalability possible by serving of static data (base maps) where the bounding box and scales have been constrained to discrete tiles which enables the use of standard network mechanisms for scalability such as distributed cache systems to cache images between the client and the server, reducing latency and bandwidth use. |
8: Services to publish vector-based geospatial feature data to applications |
|
|
9: Electronic interchange of geospatial data as coverage, that is, digital geospatial information representing space varying phenomena |
|
Web Coverage Service v.1.1.1 is limited to describing and requesting grid (or "simple") coverage. OGC Web Coverage Service (WCS) Standard Guidance Implementation Specification 1.0 |
10: File based storage and exchange of digital geospatial mapping (raster) data where services based access is not possible |
|
This is provided for legacy systems, implementers are encouraged to upgrade their systems to consume OGC Web Services.
In practice, the exchange of large geospatial(raster) data sets between Geo organizations of different TCN’s is conducted in the proprietary[b] Multi-resolution seamless image database format (MrSID Generation 3). Data in MrSID format could be transformed to GeoTIFF. |
11: File based storage and exchange of non-topological geometry and attribute information or digital geospatial feature (vector) data |
|
ESRI Shapefiles are used by legacy systems and as file based interchange format. Implementers are encouraged to upgrade their
systems based on OGC Web Services.
File geodatabases store datasets as folders in a file system with each file capable of storing more than 1 TB of information. Each file geodatabase can hold any number of these large, individual datasets. File geodatabases can be used across all platforms and can be compressed. They support the complete geodatabase information model and are faster than using shapefiles for large datasets. Users are rapidly adopting the file geodatabase in place of using shapefiles. |
12: Geospatial Coordinate Services: general positioning, coordinate systems, and coordinate transformations |
|
|
[a] GeoTIFF 1.8.2 is public domain metadata standard embedding geo-referencing information within a TIFF revision 6.0 file. [b] Requires LizardTech's (lizardtech.com) decoding software development kit (DSDK). The MrSID file format is a proprietary technology that provides tools for the rapid compression, viewing, and manipulation of geospatial raster and LiDAR data. |
[2] The only scenario where this would apply would be in the case that crypto devices cannot be supplied, protected and managed on site and physical access to the AMN is hence not available at that location.
[3] If SCIP is used, then access to the AMN can only be possible if a gateway for SCIP multi-conferencing and interconnection to VoSIP networks is provided. AMN. Additionally to achieve this there would need to be agreement to re-use a Key Management system that is already deployed in ISAF (for example that used for the OMLTs).