If you can't read please download the document
Upload
victor-turner
View
30
Download
0
Embed Size (px)
DESCRIPTION
TrustCoM A framework for trust, security and contract management in dynamically evolving Virtual Organisation Atos Origin Ignacio Soler [email protected]. TrustCoM in a nutshell. TrustCoM vision TrustCoM simplified Architecture A real example using TrustCoM Architecture. - PowerPoint PPT Presentation
Citation preview
Palette - WP0
European and Chinese Cooperation on Grid
TrustCoMA framework for trust, security and contract management
in dynamically evolving Virtual OrganisationAtos Origin Ignacio
[email protected]
Luxembourg - 6/7 February 2006 - TEL Projects meeting
TrustCoM in a nutshell.TrustCoM visionTrustCoM simplified
ArchitectureA real example using TrustCoM Architecture.
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Overview
TrustCoM has developed a framework for trust, security and contract
management in dynamically evolving virtual organisations that will
meet the needs of this situation and provide the basis of products
and services.
Luxembourg - 6/7 February 2006 - TEL Projects meeting
TrustCoM in a nutshell
Luxembourg - 6/7 February 2006 - TEL Projects meeting
from Relationships to actual usage
InfrastructureSupport
VO Management
SLA Management
SLAManagement
Trust & Security
Trust & Security
BP Management
BP Management
Policy Services
Policy Services
VO Management
InfrastructureSupport
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Putting it all together
VO Management Service
Application Service
Trusted Third Parties
Supporting Services
Gateway
Service / Resource
Gateway
Gateway
Luxembourg - 6/7 February 2006 - TEL Projects meeting
And now: ACTION
Luxembourg - 6/7 February 2006 - TEL Projects meeting
COMPONENT LEVEL VIEWTopic Specific Interactions
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Component View
I.Instantiation & Configuration
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Component ViewInstantiation (1)
VO Management
Application Service
Gateway
Gateway
Instantiation(contains config, info.)
InformationAbout Member
Instantiate
Instantiate
RegisterServices
Instantiation
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Manager
SLA Repos.
Factory
CDL++2 BPEL
BPMService
Instan-tiator
Coor-dinator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
GVOA Manager
SLA Manager
SLA Repos.
Member- ship Mgmt
Life-cycle Manager
Instan-tiator
Message Inter-ceptor
Message Inter-ceptor
Instan-tiator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
Message Inter-ceptor
Security Token Service
Component ViewInstantiation (1)
VO Management
Application Service
Gateway
Gateway
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Manager
SLA Repos.
Factory
CDL++2 BPEL
BPMService
Instan-tiator
Coor-dinator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
GVOA Manager
SLA Manager
SLA Repos.
Member- ship Mgmt
Life-cycle Manager
Message Inter-ceptor
Instan-tiator
Instan-tiator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
Message Inter-ceptor
Security Token Service
Component ViewInstantiation (2)
VO Management
Application Service
Gateway
Gateway
actualservice
actualservice
Instantiate
InstantiationDetails (EPR)
UpdateData
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Manager
SLA Repos.
Factory
CDL++2 BPEL
BPMService
Instan-tiator
Coor-dinator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
GVOA Manager
SLA Manager
SLA Repos.
Member- ship Mgmt
Life-cycle Manager
Message Inter-ceptor
Instan-tiator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
Message Inter-ceptor
Security Token Service
Component ViewConfiguration (1) : Security Tokens
VO Management
Application Service
Gateway
Gateway
actualservice
IssueTokens
TokenInformation
Token Information
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Manager
SLA Repos.
Factory
CDL++2 BPEL
BPMService
Instan-tiator
Coor-dinator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
GVOA Manager
SLA Manager
SLA Repos.
Member- ship Mgmt
Life-cycle Manager
Message Inter-ceptor
Instan-tiator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
Message Inter-ceptor
Security Token Service
Component ViewConfiguration (2) : Policies
Policies, Roles,Relationships
Policy
Policy
Policy
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Component ViewConfiguration (3) : BPs
VO Management
Application Service
Gateway
Gateway
actualservice
CollaborationDescription (Role)
DerivedBP
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Manager
SLA Repos.
Factory
CDL++2 BPEL
BPMService
Instan-tiator
Coor-dinator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
GVOA Manager
SLA Manager
SLA Repos.
Member- ship Mgmt
Life-cycle Manager
Message Inter-ceptor
Instan-tiator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
Message Inter-ceptor
Security Token Service
Component ViewConfiguration (4) : starting SLAs
Start(SLA Id)
Get SLA
Start (SLA)
Instantiate& Configure
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Component ViewConfiguration (4) : starting SLAs
Start (SLA)
Start (SLA)
Get SLA
Instantiate& Configure
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLAMonitor
SLAMonitor
Component View
VO Management
Application Service
Gateway
Gateway
actualservice
II.Messaging
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Manager
SLA Repos.
Factory
CDL++2 BPEL
BPMService
Instan-tiator
Coor-dinator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
GVOA Manager
SLA Manager
SLA Repos.
Member- ship Mgmt
Life-cycle Manager
Message Inter-ceptor
Instan-tiator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
Message Inter-ceptor
Security Token Service
SLAMonitor
Component ViewMsg: Security & Access Control
(Application) Service
Gateway
(Application) Service
Gateway
actualservice
actualservice
Message toService B
CheckPolicies
Block/Allow
GetToken
Token
ResolveHandle
EPR
Service A = EPR xService B = EPR yService C = EPR z
Forward Messageto EPR y
CheckPolicies
Block/Allow
ValidateToken
Ok/fail
(ResolveHandle)
(EPR)
Message toService B
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Instan-tiator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
Message Inter-ceptor
SLA Manager
SLA Repos.
Factory
CDL++2 BPEL
BPMService
Instan-tiator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
Message Inter-ceptor
SLAMonitor
SLA Manager
SLA Repos.
Factory
CDL++2 BPEL
BPMService
SLAMonitor
Component View
VO Management
Application Service
Gateway
Gateway
actualservice
III.Trust & Contract Management
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Manager
SLA Repos.
Factory
CDL++2 BPEL
BPMService
Instan-tiator
Coor-dinator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
GVOA Manager
SLA Manager
SLA Repos.
Member- ship Mgmt
Life-cycle Manager
Message Inter-ceptor
Instan-tiator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
Message Inter-ceptor
Security Token Service
SLAMonitor
Component ViewSLA Mgmt (1): Monitoring & Eval.
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Component ViewSLA Mgmt: Monitoring & Eval.
Application Service
Gateway
actualservice
StartSLA
CheckSystem
SLAStatus
SLAStatus
SLAStatus
Evaluate
ComplianceInformation
UpdatedReputation
ReputationDrop
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Manager
SLA Repos.
CDL++2 BPEL
BPMService
Instan-tiator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
Message Inter-ceptor
SLAMonitor
SLAMonitor
Component ViewPolicy Violations
Application Service
Gateway
actualservice
Violation
ReputationDrop
Reconfiguration
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Manager
SLA Repos.
CDL++2 BPEL
BPMService
Instan-tiator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
Message Inter-ceptor
SLAMonitor
SLAMonitor
Component ViewSLA Mgmt: Monitoring & Eval.
Application Service
Gateway
actualservice
StartSLA
CheckSystem
SLAStatus
SLAStatus
Evaluate
ComplianceInformation
UpdatedReputation
ReputationDrop
ReputationDrop
Reconfiguration
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Manager
SLA Repos.
CDL++2 BPEL
BPMService
Instan-tiator
PEP
Service Instance Registry
Notifica-tion Proxy
Policy Decision Point
Security Token Service
Message Inter-ceptor
SLAMonitor
SLAMonitor
European and Chinese Cooperation on Grid
An example to clarify things
5th October mid-term reviewImperial College London, UK, 5 October
2006
Ignacio SolerAtos Origin SAE
Luxembourg - 6/7 February 2006 - TEL Projects meeting
eLearning scenario example
Current application in running in a distributed environment (SOA),
previously was a monolithical application.Main goal is to achieve
the real market application permitting to learning providers to get
into a system which is widely openly, secure, and reliable, with no
cost.Real business case.
Luxembourg - 6/7 February 2006 - TEL Projects meeting
General Deployment model
TrustCoM
SOAP
SOAP
SOAP
SOAP
SOAP
SOAP
SOAP
Virtual Organisation
MTOM
WS-Addressing
WS-Security
XCAML
MTOM
SSL
WS-Agreement
Luxembourg - 6/7 February 2006 - TEL Projects meeting
TrustCoM used Components
Virtual Organisation
Luxembourg - 6/7 February 2006 - TEL Projects meeting
VOLearning Deploy Scenario 3
Atos Linux Oracle
Atos Linux Oracle
Atos Linux Java Axis2
Atos WindowsBackEnd
BAE.NET
HLRS.NET
to MMStorage and SLA subsystem
http
http
Albert /Learner
Learning Resource Providers
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Setup. Scenario 2
Atos Windows.NET
HLRS.NET + Java
SICS
IC
Make a replacement
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Operation. Scenario 2
Atos Windows.NET
HLRS.NET + Java
SICS
IC
Atos Windows.NET
Send timestamp
Send Violation / Fulfillment
Receive Violation / Fulfillment
Send Violation / Fulfillment
Receive Violation / Fulfillment
Send Replacement
Change Update / Policies
Replacement
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Business application
Luxembourg - 6/7 February 2006 - TEL Projects meeting
SLA Business Appliance
Every time a violation is made, the price raises up.If so many
times the violation is produced, a replacement is needed.On the
other hand if the fulfillment of the SLA is accomplished, then the
price is getting lower.
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Deployment effort for introducing new providers
Replacement a supplier on the flyLess Person effortNo need to
register to the STSSLA in place, monitoredTrusted & secured
frameworkAwareness of providing good provision to the weaker
partner. (Learner)
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Conclusion
Security, no cost to become a new supplier.Within the
implementation of this test bed, the providers have a fully
functional platform, to just get in the TrustCoM framework, without
doing major changed to their respectively previous legacy systems,
allowing though to ensure a correct, secure, and reliable
transmission of the courses throw the internet.
Luxembourg - 6/7 February 2006 - TEL Projects meeting
Backup slides.
Luxembourg - 6/7 February 2006 - TEL Projects meeting
WS-Trust & SAML
A WS-Trust and a SAML token profile for virtual organizations as
scoped federationsTo support different forms of federation an STS
must be separate from a PDP e.g. PKI, temporary tokens, context
space protocolsThe Trustcom architecture divides the STS from the
PDP to support a PDP that only uses attributes and not
tokensDividing the STS from the PDP requires separate protocols for
each to talk to the PEP.SAML alone is deficient to talk to a PDP
because it doesnt support obligations or the passing of operation
argumentsThe profile will specify how web service components (e.g.
PEP) communicate with security token services (STS) to request an
STS to issue and validate cross-organizational security
tokensConverging Microsoft protocol WS-Trust & SAML with SAML
standard.This standardisation will be demonstrated by replacing the
EMIC STS (WS-Trust & SAML) with the UoK one (SAML only) within
TrustCoM for the subset of activity that SAML addresses (STS to PEP
communication).
Luxembourg - 6/7 February 2006 - TEL Projects meeting
XACML
Transport of policies between a policy service and PDPs uses
XACMLXACML itself does not define any kind of transport formats for
policies. This profile defines transport formats for policies
Policies are enveloped in a signed transport format for secure
distributionXACML is a general standard and does not discuss web
servicesThe profile also defines how to extract attributes from the
SOAP header to identify who is making the request for a service,
which action they request etc
Luxembourg - 6/7 February 2006 - TEL Projects meeting