Information Technology Reference
In-Depth Information
signature-only mode, an encryption-with-signature mode, and so on, to dif-
ferent services and even different methods or method parameter values in
a service, in the same node.
Currently, CROWN Security supports two kinds of security infrastruc-
ture: Kerberos and PKI. Therefore the X.509 certii cate [10] and Kerberos
ticket are both supported in the authentication module. Both Kerberos
and PKI authentication are implemented as a WSSecureConversation [11]
service that conforms to the GSS-API standard [12]. For instance, a service
deployed in the Kerberos region can use CROWN Security to authenticate
and authorize users according to their Kerberos credentials, and in the
meantime the same service can also be deployed in the PKI region with
only slight coni guration adjustments made by the administrator. This
feature is the essential infrastructure for supporting further credential
federation among regions.
In particular, during the dynamic trust establishment between two
unknown nodes located in different security domains, the sensitive cre-
dentials or access control policies may be disclosed. In CROWN Security,
a dedicated ATNService, namely, the Automated Trust Negotiation Service,
which complies with the WS-Trust standard, is provided to preserve pri-
vacy for the nodes. If the service requestor has a trust ticket issued by a
target service, then the trust can be established without negotiation.
Otherwise, trust negotiation will be triggered, where the negotiation
strategy enforcer in the ATNService will determine where and which
credentials should be disclosed. In particular, an advanced trust chain
construction component, which holds by trust management with various
delegation credentials, is supported in ATNService.
1.4.1.2
Domain-Level Security
Although some security functions such as authentication and authorization
are implemented as a node-level security mechanism in CROWN Security,
sometimes it is a huge burden for administrators to maintain authentication
and authorization policies on an enormous number of CROWN nodes in
each domain. Therefore, several fundamental security services are provided
by CROWN Security with the intention of easing security administration
and reducing administration burden, including the authentication service
(AuthService) and the authorization service (AuthzService). For example,
a centralized authorization service can be deployed in a domain, and this
authorization service will serve for all grid services residing in the CROWN
nodes in this domain to make authorization decisions.
Furthermore, CROWN Security provides a credential management
service (CredManService) as a MyProxy [13] replacement in CROWN
middleware. CredManService allows users to access their credentials
anywhere, anytime, even when they are on a system without a grid
infrastructure or without secure access to their long-term credentials, as
Search WWH ::
Custom Search