Information Technology Reference
In-Depth Information
MyProxy does. However, CredManService is implemented as a grid
service and is decoupled with underlying security mechanisms. This actu-
ally benei ts the administrators with immeasurable l exibility to tailor dif-
ferent security coni gurations for different service deployments. On the
other hand, MyProxy is heavily coupled with SSL as a session security
mechanism and a built-in access control model, which is hard coded and
inl exible to extend. The domain administrator can deploy these services
selectively. These services are all implemented as an extension to the
WS-Trust standard [14], which has a policy-based design; therefore they
are highly adaptable and easy to coni gure.
1.4.1.3
Region-Level Security
The region-level security mechanism in CROWN Security is realized by a
credential federation service (CredFedService). In a multiparty collabora-
tion, users in one region may have fundamental problems in accessing
services provided by other regions because they have different authentica-
tion methods as well as different formats for user credentials, such as the
X.509 certii cate and the KerberosV5 [15] ticket. A credential conversion
mechanism is an essential enabling mechanism for establishing profound
collaboration among multiple parties. For example, CredFedService can be
employed as a bridge between the PKI region and the Kerberos region.
Therefore, users from one region can access the resources across different
security infrastructures via the policy-based identity mapping and creden-
tial conversion feature provided by CredFedService. CredFedService is
also implemented as a grid service, which is decoupled with underlying
security mechanisms. Administrators can adapt different security coni gu-
rations as well as identity mapping policies to their own requirements.
1.4.2
Design and Implementation
As discussed above, CROWN Security presents an extensible framework
and implements basic communication security components inside the
CROWN node. CROWN Security also provided four other components
based on the framework, including credential management, policy-based
authorization, trust management and negotiation, and credential federa-
tion. Implementation of CROWN Security is tightly integrated with the
CROWN NodeServer, which is the core component of the CROWN mid-
dleware system. The basic function of CROWN Security comes together
with CROWN NodeServer, and several fundamental security services
are available as grid service archives, which can be remotely deployed
into a CROWN NodeServer through the ROST service [16].
Before diving into design and implementation details, the security struc-
ture of the CROWN node, which provides the l exible and adaptable
features of CROWN Security, will be discussed in the following subsection.
Search WWH ::
Custom Search