CROWN: A Service Grid Middleware for e-Science - Grid Computing: Infrastructure, Service, and Applications - page 25

Information Technology Reference

In-Depth Information

the session ID into a SOAP header and sign it before sending it to the target

service. The target service will verify the authenticity of the session ID

through its AuthzHandler, and allow access if the verii cation succeeds.

1.4.2.6

Credential Federation

A credential federation component is provided as a grid service called

CredFedService. The function of CredFedService is to convert an X.509

certii cate to a KerberosV5 ticket according to a specii ed identity mapping

policy, and vice versa. Figure 1.13 shows the relationships and data l ow

among the modules inside CredFedService implementation.

The input of CredFedService is the user's credential, and the output is a

new credential in a format different from the input credential. Figure 1.13

demonstrates the procedure of mapping an X.509 credential to a Kerberos

credential. First, the input credential is processed by the authentication

module, which is realized by a secure-conversation mode offered by an

underlying communication security component of CROWN-ST, to verify

whether the user is the real owner of this credential. If so, the credential is

then forwarded to the identity mapping module, which will map the identity

of the user to another domain based on mapping policy. Then the new iden-

tity will be processed by the credential conversion module to generate a

new credential for the user. Finally, this credential is returned to the user by

CredFedService. As shown in Figure 1.13, each module has its correspond-

ing policy that can be customized by the CredFedService administrator.

1.4.3

CROWN Security Summary

CROWN Security provides a i ne-grained and extensible framework ena-

bling trust federation and trust negotiation for resource sharing and

collaboration in an open grid environment. We have also demonstrated

X509

certificate

Authentication

module

Authentication

policy

Identity mapping

module

Identity mapping

policy

Kerberos

ticket

Credential conversion

module

Credential conversion

policy

CredFedService

FIGURE 1.13

CredFedService.

Next Page

Grid Computing: Infrastructure, Service, and Applications

Search WWH ::

Custom Search

Home