Testbed-12 OWS Common Security Extension ER

Many Open Systems applications have security requirements which depend upon correctly identifying the principals involved. Such requirements may include the protection of assets and resources against unauthorized access, for which an identity based access control mechanism might be used, and/or the enforcement of accountability by the maintenance of audit logs of relevant events, as well as for accounting and charging purposes. The process of corroborating an identity is called authentication.

ITU-T combines the concepts of identification and authentication into a single framework. Identification asserts an identity for a party in a transaction. Authentication validates that the assertion is correct. For example, a user name asserts an identity. Authentication is only achieved once the password has been validated.

The primary goal of access control is to counter the threat of unauthorized operations involving a computer or communications system; these threats are frequently subdivided into classes known as unauthorized use, disclosure, modification, destruction and denial of service.

Access control is arguably the most complex of the security frameworks. It typically consists of the authenticated identity of the party requesting access, metadata describing the access restrictions for a resource, and some form of access policy enforcement which governs whether access is granted or refused. Some common forms of access control are as follows.

The goal of the Non-repudiation service is to collect, maintain, make available, and validate irrefutable evidence regarding identification of originators and recipients involved in data transfers.

Non-repudiation is typically accomplished through a digital signature. A digital signature generates a hash of the message, then encrypts the hash and additional identifying information using the users private key. If they signature can be decrypted using the users public key, and the hash values match, then whoever signed the message must have had access to the users private key. If the private key has been protected, then only the user could have created and signed the message. Therefore they cannot repudiate the message.

Many Open Systems applications have security requirements which depend upon the prevention of disclosure of information. Such requirements may include the protection of information used in the provision of other security services such as authentication, access controls, or integrity, that, if known by an attacker, could reduce or nullify the effectiveness of those services. Confidentiality is the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Confidentiality is commonly achieved through encryption. Encryption can be applied to the resource itself or to the channel the resource is exchanged over. HTTPS, for example, provides confidentiality by running the HTTP protocol over an encrypted transport link.

Many Open Systems applications have security requirements which depend upon the integrity of data. Such requirements may include the protection of data used in the provision of other security services such as authentication, access control, confidentiality, audit, and non-repudiation, that, if an attacker could modify them, could reduce or nullify the effectiveness of those services. The property that data has not been altered or destroyed in an unauthorized manner is called integrity.

The digital signature discussed above also provides integrity. If the hash algorithm is of cryptographic grade, then the chances of two messages generating the same hash are very low. So if the hash values before and after transmission match, then you can have confidence in the integrity of the message.

The open use case: it’s an open environment and all is shareable. Services are available via a public network (Internet) and service metadata is registered in a public catalogue. ISO Metadata must not include accessContraint elements. Capabilities must not list access constraints.

This is a common practice.

The Business Use Case: a provider wants users to know that there is a protected service registered in a public catalogue. They also want users to know that the content served is protected but not classified. The ISO Metadata indicates that the service endpoint(s) is(are) access protected. The ISO metadata also points to a public version of the Capabilities document. This public Capabilities document includes the content section and describes the content available from the service. The Public Capabilities document also describes the access constraints on a protected GetCapabilities operation. This protected GetCapabilities operation returns additional service metadata which the owner may not want to have publicly available.

A Protected Service with sensitive data is registered in a Catalogue on a public network (i.e., the Internet). The ISO Metadata indicates that the service endpoint(s) is(are) access protected. The ISO metadata points to a public version of the Capabilities. The Public Capabilities document does not include a content section. The Public Capabilities document also describes the access constraints on a protected GetCapabilities operation. This protected GetCapabilities operation returns a full capabilities document including content section.

A service is registered in a public catalogue. Access to the service as an anonymous user provides knowledge about the non-sensitive data provided. Authenticated users can access knowledge about those data sets / layers that the user is authorized to see. Public metadata / capabilities outline the access constraints content section partially inline (non-sensitive data sets) partially using external links (sensitive data sets).

A service that is just providing sensitive information, which is not meant for public / anonymous consumption, is registered in a protected catalogue. Users searching the catalogue must be authenticated. Access Control might additionally restrict the results provided to a user by enforcing the need-to-know principle.

The metadata describing the search results from the catalogue can be constructed according to the user’s permissions and therefore might different for users with different permissions / privileges.

HTTP Authentication is specified by IETF RFC 7235. It is a challenge-response authentication scheme using HTTP headers and response codes to exchange the challenge and response. The following example illustrates its use. This HTTP Authentication does not require a security context to be saved on the service side. Once valid authentication credentials have been established, the client can include those credentials with subsequent requests using the Authorization header. The authentication schemes supported by RFC 7235 are registered on the IANA HTTP Authentication Scheme Registry (http://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml). Two commonly used authentication schemes are Basic and Digest. Basic authentication credentials are an unencrypted user name and password. Digest authentication also uses a user name and password however the values are encrypted prior to being exchanged. HTTP Authentication is illustrated by the sequence diagram in figure 2.

The following example illustrates the use different "features" of the RFC 2818, 6265 and 2616:

The following example illustrates the use of HTTP redirect, HTTP cookies and HTTPS to leverage the SAML2 profile "Web Browser SSO" in conjunction with the "POST Binding."

The following example illustrates the use of HTTP specific headers, HTTP cookies and HTTPS to leverage the SAML2 profile "ECP" in conjunction with the "PAOS Binding."

The following example illustrates the use of security on the application layer by applying "WS-Security" to SOAP <Header> elements. The SOAP security enabled endpoint acts as a reverse proxy to an unsecured WFS.

For OWS Common 1.0.0 schema, it is only possible to list the ows:Value element inside the constraint element. This affects the CSW and the WFS 1.1.0 as these version use the OWS Common 1.0 schema.

The following figure illustrates this limitation

The options to use the ows:Constraint element(s) is determined by the OWS Common XSD. The ows:OperationsMetadata element from the owsOperationsMetadata-<version>.xsd specifies the Constraint element:

It is important to point out that the element ows:Constraint is optional but may occur unbounded. The use of multiple ows:Constraint elements within the same OperationsMetadata element shall be interpreted as a logical AND.

In case an operation has a choice of multiple security constraints (OR) the ows:Get or ows:Post element shall be duplicated to reflect the logical OR. The following schema snippet illustrates this rational:

This procedure, to normalize the logical OR into a DNF of (Get | Post)+ elements is required as we are not allowed to define a new structure because of backwards-compatibility.

An annotation with security shall be done per service operation using the ows:ValuesReference element. The ows:Reference attribute shall point to the authentication codelist, the authorization policy or the WS-Policy.

As outlined in OGC 15-022, it is important to provide information on security constraints like authentication, authorization, integrity and confidentiality. Within TB12, the following URNs have been defined with the following meaning.

From OWS Common XSD, the ows:ServiceMetadata element contains the ows:Constraint element, which can occur unbounded. It is therefore possible to use one or multiple ows:Constraint element(s) to express one or multiple security constraints per service operation. It is important to note that the logical AND must be applied for all ows:Constraint elements.

In case that two or more security constraints exist as a choice (for example BASIC or DIGEST Authentication) it is required to duplicate the ows:Get or ows:Post element accordingly. As an example, the following XML fragment illustrates the choice of BASIC or DIGEST authentication:

In case that a service endpoint has security implemented, the client can only use the Capabilities document and its security annotations to determine compatibility if the instance document could be obtained either (i) publicly or (ii) via a common security mechanism implemented by all clients on the planet. In that sense, chances are that the annotated version of the Capabilities for a protected service must be publicly available. In this case, the client can read and compile the security annotations per operation and filter supported security settings.

But, this approach has an implication if the content served by the protected service is sensitive or information about the data served shall not be given to anonymous users. In this case, the content section of the publicly accessible annotated Capabilities instance document could either:

In any case, the client must always fetch the full capabilities document via the GetCapabilities operation, outlined in the publicly available capabilities document comprising of the security annotations.

OASIS has well established URNs for their authentication methods associated with SAML. It is proposed to include those URNs using the code space “OASIS.”

The IETF seems not to have established unique identifiers for the authentication methods defined in RFC 2617: HTTP Basic and Digest Authentication. Also, RFC 5246 does not define an identifier for client side certificate.

It is therefore required that the OGC Authentication Code List include identifiers for these IETF authentication methods. For TB12, the following URNs were established:

For SOAP security enabled service instances, all the security specific conditions are typically captured in the SOAP message. The SOAP message can either be a service input or output message. As the SOAP message structure is XML, one can apply all security related conditions that can be put on XML: a) Integrity by applying W3C XML Digital Signature; and b) Confidentiality by applying W3C XML Encryption.

The annotation for SOAP enabled services shall be done via a WS-Policy, which can be referenced from the Capabilities document using the OWS:Constraint element with the identifier "security:policy" or be inline to the service instance capabilities file. Both approaches involve a WS-Policy which can be used for creating client side code from the WSDL and at runtime from the capabilities document to apply/verify required security conditions are applied to the SOAP envelope.

The following examples illustrate this procedure.

This CR is captured under OGC CR #388: http://ogc.standardstracker.org/show_request.cgi?id=388

As outlined in the CR, the main problem is that mainstream IT uses content-type application/www-form-urlencoded for HTML + FORM elements to post a request from the client application to the service, but W*S specifications do not. For HTML5, a FORM element can only have one of the following content-types [source: http://www.w3schools.com/tags/tag_form.asp]:

In OGC W*S specifications, if they support HTTP POST, the content-type is “text/xml” or “application/xml” or similar. This does prevent a simple HTML5 document including a FORM element to submit a XML encoded request to a W*S.

The CR does identity the main limitation regarding security as follows: For a secured W*S endpoint, some authentication methods (e.g. SAML) that store a security context at the service side require a two-stage communication from the client to the service to establish the session. In stage one, the service returns to the client a temporary session which gets completed during stage two. It is therefore important that the client can point to the previous (incomplete) session. The SAML implementation Shibboleth triggers the second stage by returning an HTTP status 302 (for a HTTP Get request) or 307 (for a HTTP Post request) to the client. The reference to the preliminary session is done via extra parameters.

But, the current way OGC POST requests work, it is not possible for the service to add specific parameters, as the structure is defined by an OGC maintained XSD and the content-type must be text/xml or application/xml.

Due to that limitation, it is not possible to establish a session with W*S using a POST request, which is a shortcoming that introduces a disconnect from main stream IT, where almost all client/service interactions via POST use the content-type application/www-form-urlencoded.

This CR is captured under OGC CR #417: http://ogc.standardstracker.org/show_request.cgi?id=417

This requirement is important to enable that a security facade can be setup in front of any W*S to require the use of HTTPS.

Also, the support of HTTPS, as standardized in the IETF RFC 2818 (HTTP over TLS) must become a normative reference.

This CR is captured under OGC CR #418: http://ogc.standardstracker.org/show_request.cgi?id=418

The use of OWS Common limits the binding of OGC Web Services to HTTP. However, secured endpoints that require confidential transport of request and responses are leveraging HTTP over TLS (HTTPS). But the OWS Common schema limits the use of the DCP subtype HTTP which indicates an unsecured communication channel. The OWS Common Schema must be extended to support HTTPS to indicate a secure use of HTTP per TLS.

This CR is captured under OGC CR #419: http://ogc.standardstracker.org/show_request.cgi?id=419

The ability - in general - to support HTTP Cookies ensures that it is possible to store state on the client side, including a reference to a security context stored at the server side.

This CR is captured under OGC CR #420: http://ogc.standardstracker.org/show_request.cgi?id=420

Permit the use of all HTTP status codes as it fits…​

For REST, we need the use of HEAD, OPTIONS and all status codes…​

This CR is captured under OGC CR #421: http://ogc.standardstracker.org/show_request.cgi?id=421

The WFS response for a GetFeature operation is a FeatureCollection, which can be encoded in XML. For an XML encoded response, it is common practice that the WFS DescribeFeature operation is used to reference to the schema fragment that defines the features types included in the feature collection. As this schema portion is required to validate the XML document, it is problematic if the service endpoint is protected and so the DescribeFeatureType operation. In this case, it is recommended to use a URL that is fully comprised with security relevant information to enable the XML parser to gain access to the schema fragment. One approach could be to issue an OAuth access token with a short lifetime and attach that to the URL for obtaining the schema fragment that defines the involved feature types. In the case where the DescribeFeatureType operation is protected by HTTP Basic Authentication for example, the client implementation must add the proper user credentials with the request, which is difficult to implement in a safe way without exploiting the user credentials. Ergo, a non solution would be to create a DescribeFeatureType URL inside the FeatureCollection XML of the structure http://<user>:<password>@<host>/DescribeFeatureType? …​

This CR is captured against the WPS 2.0 under OGC CR #422: http://ogc.standardstracker.org/show_request.cgi?id=422

A WPS can be deployed to operate as a facade (or proxy) in front of backend services. According to the W*S type of the backend service, a request can be either HTTP Get or Post. In cases where the WPS process has received an XML encoded request for the backend service, it is important that the request is not processed but just relayed to the backend service. This is important in cases where the backend service is a SOAP + security enabled service and the client submits the request to that service via the WPS Execute request. In case where a digital signature is on that request, any processing at the WPS would invalidate the request and the backend service would return an error. An example for this constellation is captured in chapter 11.

This CR is captured under OGC CR #423: http://ogc.standardstracker.org/show_request.cgi?id=423

As outlined in the ER in an earlier section, the WMS 1.1.1 capabilities are not based on OWS Common schema but on a WMS version specific DTD. In order to annotate the security conditions according to the proposed formalism, the following DTD structure must be included inside the VendorSpecificCapabilities element.

In case where the service endpoint must not include a vendor specific section, then the following structure shall be used:

In case the use of VendorSpecificCapabilities is required to define vendor specific portions in the capabilities, the security extension must be integrated into the vendor’s definition. The following example illustrates that approach:

This CR is captured under OGC CR #424: http://ogc.standardstracker.org/show_request.cgi?id=424

For annotating WMS 1.3.0 capabilities with security annotations, the following XSD structure shall be used. The following schema defines the ExtendedSecurityCapabilities element which is in the substitution group _ExtendedCapabilties and can therefore be used in the capabilities document either exclusively or in combination with other extended capabilities elements. The example in a previous section of this ER outlines an example for a DigitalGlobe WMS 1.3.0, but the approach would also be valid for an INSPIRE download service.

The following ExetendedSecurityCapabilities type definition shall be used:

This CR is captured under OGC CR #425: http://ogc.standardstracker.org/show_request.cgi?id=425

The use of security annotations in the Capabilities document (response) is based on well defined URNs with pre-defined meaning. In order to achieve an interoperable approach, certain URNs must be approved by the OGC Naming Authority.

The following URNs have being used for Testbed 12:

Also, the URL location of the Authentication Codelist must be specified by the OGC Naming Authority. The URL is important to allow clients the resolving of the identifiers used in the Authentication Codelist.

For Testbed 12, the following URL has being used for the AuthenticationCodeList: http://tb12.opengis.net/security/authCodeList

The actual identifiers for the different authentication schemes that comprise the authentication codelist must be approved by the OGC Naming Authority.

This CR is captured under OGC CR #426: http://ogc.standardstracker.org/show_request.cgi?id=426

When a secured OGC Web Service (e.g. using HTTPS) is called from a Web Application via JavaScript code, the Web Browser applies certain sand-boxes to the code to ensure privacy and security and to prevent Cross-Site-Scripting.

The W3C CORS recommendation shall be adopted on the server side to ensure that OGC Web Service requests, where XML encoded responses are expected (e.g. GetCapabilities, DescribeFeatureType, GetFeature, etc.) are not blocked by the Web Browser due to a different Origin.

The full conditions when CORS applies can be found in the W3C CORS recommendation: https://www.w3.org/TR/cors/

For any client application that shall be used on a secured service, it is important that the implementation supports HTTP over TLS (IETF RFC 2818). This support requires the use of modern and strong ciphers (TLS 1.2) and refrain from using weak ciphers such as SSL 3.0. Further more, it is important that server certificates are properly introspected and certificate revocation lists are used when validating certificates.

The use of OWS Common limits a W*S to be stateless. This is acceptable for unsecured services, but when applying a particular security technology or standard, it must be possible that a client refers to a security context via an HTTP Cookie.

OWS Common has a mandatory reference to IETF RFC 2616, which is HTTP 1.1. Even though client specifications do not exist, all client implementations must support proper functions for all HTTP status codes, including 302 and 307. This is important when enterprise security authentication is implemented at the service, as it is defined in e.g. SAML2.

Also, the appropriate use of all HTTP verbs is encouraged, including the use of HTTP OPTIONS and HEAD operations.

The WFS returns an XML encoded response for the GetFeature operation; the FeatureCollection. In order for the receiving application to validate the XML, a schema is required. General practice is to refer to the schema of the FeatureCollection using the WFS DescribeFeatureType operation. But for a secured WFS where the schema is sensitive and not publicly accessible, the client side XML parser cannot simply use the DescribeFeatureType operation, as this is a secured operation. The general question is how can the XML parse execute the secured operation DescribeFeatureType without unveiling the credentials required for this operation?

For any W*S instance that supports SOAP and enforces security conditions on the SOAP envelope, no HTTP GET operations must be used. The main reason is that the security conditions for the SOAP envelope (typically described in a WS-Policy) can not be modeled in a HTTP GET request. It is therefore not possible that e.g. a WFS supports a DescribeFeatureType via HTTP GET in cases where this operation is also protected via SOAP security.

Therefore, the general question is how to enable the client side parser to obtain the schema without following the DescribeFeatureType link outlined in the XML response; the FeatureCollection?

For securing services from DigitalGlobe, the security architecture is very much identical to the security model from DHS (Department of Homeland Security). In a nutshell, the architecture involves user authentication via personal certificates, issued for TB12 from OGC and Secure Dimensions. The service endpoints are secured with client side TLS which requires the user to select his TB12 certificate to establish a TLS connection. With the CN from the certificate, the security facade requests user attributes from a SAML Attribute Authority, which is operated by OGC for TB12. From that user repository, a set of different user attributes becomes available for undertaking the authorization. In particular, the security implements the OASIS SAML Profile “SAML Attribute Sharing Profile for X.509 Authentication-Based Systems”.

The access control itself is based on GeoXACML policy based authorization which involves geographic conditions for military installations and otherwise sensitive areas.

The following W*S are available for the DigitalGlobe services stack:

For these services, annotated capabilities and all required schema materials are available from this publicly and open URL: https://tb12.ogc.secure-dimensions.com/capabilities

In terms of access control and authorization, the WMS and WMTS endpoints operate on a GeoXACML policy that enforces redaction of sensitive areas for all users that do not have sufficient rights based on their role and (TB12) clearance. For the WMS response, the entire image is used for redaction. For the WMTS endpoint, the applicable tile that intersects the given sensitive area is redacted. Depending on the zoom level, it is possible that multiple tiles get redacted before returned to the client:

For Cubewerx, a WFS 2.0 with SOAP support is secured using a SOAP+WS-Security as described in a WS-Policy. In order to execute the secured service, the client must send a particular security header inside the SOAP envelope which matches the requirements from the WS-Policy.

This SOAP + WS-Security enabled WFS is available here: https://tb12.secure-dimensions.com/soap/services

For this service, a static capabilities document with public access exists, as well as the WSDL and the WS-Policy:

For rasdaman, a WCPS security implementation exists which connects to a rasdaman WCS 2.0.1. The security is based on HTTPS and Basic Authentication. Based on the user’s identifier, the security proxy does rewrite POST requests from a client with the following effects.

For this service, a static capabilities document including security annotations is available here: https://tb12.secure-dimensions.com/capabilities/WCPS-2.0.1.xml

The following URL can be used to execute the secured service via a Web Browser based client application: http://rasdaman.org/tb12

52North has deployed a Web Processing Service (WPS) with a process "testbed12.cmd.AsyncFacadeProcess" which is acting as a proxy in front of any Web Service which accepts a POST request using XML encoding and content-type "text/xml" or "application/xml". The WPS endpoint is here: http://tb12.dev.52north.org/wps/WebProcessingService

The description of the process can be obtained via this URL: http://tb12.dev.52north.org/wps/WebProcessingService?Request=DescribeProcess&Service=WPS&version=2.0.0&identifier=testbed12.cmd.AsyncFacadeProcess

This WPS process was leveraged to demonstrate the execution of a SOAP WFS with WS-Security, as illustrated in the following sequence diagram. The SOAP + WS-Security enabled WFS is provided by Secure Dimensions via this URL: https://tb12.secure-dimensions.com/soap/services

The security requirement is described in the annotated capabilities available here: https://tb12.secure-dimensions.com/capabilities/WFS-SOAP-2.0.0.xml

The following listing contains the XML encoded WPS Execute request that can be sent to the WPS process to execute the secured WFS. Please note the WS-Security specific elements in the Header element of the SOAP request.

For TB12, Cubewerx has provided a set of secured services via the Cubewerx CwAuth and HTTP Basic Authentication.

For the secured endpoints, Cubewerx provides freely accessible Capabilities with security annotation:

The endpoints got challenged in different TIEs to evaluate the security annotation.

Cubewerx did also participate with their Web Browser based client to conduct TIEs. The result of the TIEs is captured in a later subsection.

For TB12, Compusult has not provided secured OGC Web Services. Their security related contribution for TB12 is conducting TIEs with their client product.

For TB12, Esri conducted TIEs for the secured WMTS https://tb12.ogc.secure-dimensions.com/capabilities/WMTS-1.0.0.xml using their desktop product ArcMap 10.4.1. The results from the successful TIE is captured in the following screenshot:

For TB12, GMU has conducted a TIE with their Web Browser based client and the WFS 2.0.0 with SOAP + WS-Security https://tb12.secure-dimensions.com/capabilities/WFS-SOAP-2.0.0.xml

The TIE was successful which is illustrated in the following screenshot:

For TB12, Luciad conducted TIEs with their client product and different secured services. All TIEs were successful reading the annotated capabilities and displaying the service response. The following screenshot illustrated the TIE result with a WMS 1.1.1 from DigitalGlobe via a Secure Dimensions security proxy.

Luciad performed a set of security TIEs using its Java-based Desktop Client, which has been developed to support the Field Operations thread. Security-wise, the client supports HTTP Basic Authentication and HTTPS SSL/TLS authentication using certificates. The client tested against WMS, WFS and WMTS services with security-annotated capabilities and using KVP/XML bindings. A test with a SOAP-based WFS was not performed, due to the lack of proper WS Security support in the client. The tests showed that the client was able to decode the capabilities without any issue, demonstrating the backwards compatibility of the security annotations. Querying and visualizing the data was also successful, apart from one interoperability issue related to the handling of a "not authorized" response encoded as an image (served by a WMS); the client was not able to display this image, due to a missing & appropriate mime type in the Content-Type header.

The ESRI ArcMap 10.2.2 and 10.4.1 desktop applications; Luciad desktop GIS; Compusult WES were used to load the annotated capabilities for WMS 1.1.1 and 1.3.0:

The result of loading the annotated capabilities did not result in a crash of the client applications. After selecting a layer, the client application did load the map and displayed it with no error. In order to have the client execute the GetMap request for the first time, the user must select the client certificate to establish a TLS connection.

The result of this TIE is identical as if the client had loaded the capabilities via the protected service endpoint using the GetCapabilities operation.

The ESRI ArcMap 10.2.2 and 10.4.1 desktop applications; Luciad desktop GIS; Compusult WIS were used to load the annotated capabilities for WMTS 1.0.0:

The result of loading the annotated capabilities did not result in a crash any of the client applications.

However, after selecting a layer, the ArcMap 10.2.2 and 10.4.1 applications open multiple network connections in parallel to load the tiles via the GetTile request. At that point, the underlying network library causes popup boxes to appear asking the user to select a client certificate to establish the TLS connection. After the second popup box is processed by the user - selecting the certificate - the application crashes. This problem was reported to ESRI via the proper channels. The crash is not related to the use of annotated capabilities, as the same crash occurs at random (3 of 5 attempts) if a project file /.mxd file for the WMTS is used to connect to the service. The cause for the crash is the parallel connections for loading tiles. WMS works, because only one single GetMap request is issued and therefore only one popup box occurs.

When using the secured endpoint of the service (https://tb12.ogc.secure-dimensions.com/service/wmts) ArcMap connects to the service via the GetCapabilties request which causes the popup of the certificate selection box. Once that single request has resulted in a TLS connection, the parallel requests for GetTile do not require a certificate selection any more. So, the application works as expected.

The ESRI ArcCatalog 10.2.2 desktop application; Luciad desktop GIS; Compusult WES were used to load the annotated capabilities for WFS 1.1.0:

It was possible to create an Interoperability Extension for the WFS using ArcCatalog. The annotated capabilities document was loaded with no crash. It was also possible to select a feature type and save the configuration in ArcCatalog.

The loading of features from this interoperability connection in ArcMap 10.2.2 failed.

The loading of the annotated capabilities and displaying of the result did work for the Luciad desktop GIS and the Compusult WIS.

The result of the TIE is that the use of the annotated capabilities did not crash the client application. But the lack of support for the client side TLS caused the ArcMap client not to load any features.

The ESRI ArcMap 10.2.2 desktop application was used to load the annotated capabilities for WCS 1.1.1:

It was possible to load the annotated capabilities files without crashing the client. But the client did not issue a DescribeCoverage request and the selection box remained empty.

The result of the TIE is that the use of the annotated capabilities did not crash the client application. But for an error in the capabilities document, it was not possible to select a coverage.

The following TIE matrix documents the result from the testing of secured W*S and annotated capabilities

The following TIE matrix documents the result from testing the WFS 2.0.0 with SOAP + WS-Security