Information Technology Reference
In-Depth Information
Identity mapping
& credential
conversion
service
Region A
Region B
Region CA
Region KDC
Domain
AuthService
Domain
AuthService
Node 1
Node 1
CredMan
Service
Node 2
Node 2
Domain
AuthzService
Domain
AuthzService
Node n
Node k
Domain KDC
Domain CA
Domain A.1
Domain B.1
Node m
Automated
trust
negotiation
Domain A.2
FIGURE 1.9
Architecture of CROWN security.
levels of security mechanisms in the CROWN security architecture: node-
level, domain-level, and region-level security mechanisms. CROWN uses
a federated construction to form the virtual organization and the
architecture of security is designed accordingly, as shown in Figure 1.9.
The term “region” is used to denote the area with a homogeneous security
infrastructure such as PKI or Kerberos, and the term “domain” is used to
denote the area of autonomous organization.
In order to wrap, share, and protect the raw resources in autonomous
domains, the CROWN node should be deployed in the domain. It is the
responsibility of the CROWN node to accept or intercept resource requests
from grid users and do the security control. The raw resources to be
protected are located in what we call protected areas, which may be a
physical area or a conceptual area. When deploying CROWN security one
should insist that all access to the resources in the protected area is medi-
ated by a CROWN node.
1.4.1.1
Node-Level Security
In a CROWN node, CROWN Security implements communication
security; i ne-grained access control; basic message-level security, such
as encryption/decryption, signing/verii cation, and authentication; and
authorization mechanisms. Moreover, other new functionalities can easily
be extended in this architecture due to its l exibility. CROWN Security is
highly l exible through coni guration, which makes it easier for adminis-
trators to specify i ne-gained security policies for each service. For example,
it is feasible to apply various security processing modes, such as a
 
Search WWH ::




Custom Search