TrustCoM

Palette - WP0

European and Chinese Cooperation on Grid

TrustCoMA framework for trust, security and contract management in dynamically evolving Virtual OrganisationAtos Origin Ignacio [email protected]

Luxembourg - 6/7 February 2006 - TEL Projects meeting

TrustCoM in a nutshell.TrustCoM visionTrustCoM simplified ArchitectureA real example using TrustCoM Architecture.


Overview
TrustCoM has developed a framework for trust, security and contract management in dynamically evolving virtual organisations that will meet the needs of this situation and provide the basis of products and services.


TrustCoM in a nutshell


from Relationships to actual usage
InfrastructureSupport
VO Management
SLA Management
SLAManagement
Trust & Security
Trust & Security
BP Management
BP Management
Policy Services
Policy Services
VO Management
InfrastructureSupport


Putting it all together
VO Management Service
Application Service
Trusted Third Parties
Supporting Services
Gateway
Service / Resource
Gateway
Gateway


And now: ACTION


COMPONENT LEVEL VIEWTopic Specific Interactions


Component View
I.Instantiation & Configuration


Component ViewInstantiation (1)
VO Management
Application Service
Gateway
Gateway
Instantiation(contains config, info.)
InformationAbout Member
Instantiate
Instantiate
RegisterServices
Instantiation


SLA Manager

SLA Repos.

Factory

CDL++2 BPEL

BPMService

Instan-tiator

Coor-dinator

PEP

Service Instance Registry

Notifica-tion Proxy

Policy Decision Point

Security Token Service

GVOA Manager

SLA Manager

SLA Repos.

Member- ship Mgmt

Life-cycle Manager

Instan-tiator

Message Inter-ceptor


Instan-tiator

PEP


Notifica-tion Proxy





VO Management
Application Service
Gateway
Gateway


SLA Manager

SLA Repos.

Factory

CDL++2 BPEL

BPMService

Instan-tiator

Coor-dinator

PEP


Notifica-tion Proxy



GVOA Manager

SLA Manager

SLA Repos.

Member- ship Mgmt

Life-cycle Manager


Instan-tiator

Instan-tiator

PEP


Notifica-tion Proxy



PEP


Notifica-tion Proxy





VO Management
Application Service
Gateway
Gateway
actualservice
actualservice
Instantiate
InstantiationDetails (EPR)
UpdateData


SLA Manager

SLA Repos.

Factory

CDL++2 BPEL

BPMService

Instan-tiator

Coor-dinator

PEP


Notifica-tion Proxy



GVOA Manager

SLA Manager

SLA Repos.

Member- ship Mgmt

Life-cycle Manager


Instan-tiator

PEP


Notifica-tion Proxy





Component ViewConfiguration (1) : Security Tokens
VO Management
Application Service
Gateway
Gateway
actualservice
IssueTokens
TokenInformation
Token Information


SLA Manager

SLA Repos.

Factory

CDL++2 BPEL

BPMService

Instan-tiator

Coor-dinator

PEP


Notifica-tion Proxy



GVOA Manager

SLA Manager

SLA Repos.

Member- ship Mgmt

Life-cycle Manager


Instan-tiator

PEP


Notifica-tion Proxy





Component ViewConfiguration (2) : Policies
Policies, Roles,Relationships
Policy
Policy
Policy


Component ViewConfiguration (3) : BPs
VO Management
Application Service
Gateway
Gateway
actualservice
CollaborationDescription (Role)
DerivedBP


SLA Manager

SLA Repos.

Factory

CDL++2 BPEL

BPMService

Instan-tiator

Coor-dinator

PEP


Notifica-tion Proxy



GVOA Manager

SLA Manager

SLA Repos.

Member- ship Mgmt

Life-cycle Manager


Instan-tiator

PEP


Notifica-tion Proxy





Component ViewConfiguration (4) : starting SLAs
Start(SLA Id)
Get SLA
Start (SLA)
Instantiate& Configure


Component ViewConfiguration (4) : starting SLAs
Start (SLA)
Start (SLA)
Get SLA
Instantiate& Configure


SLAMonitor

SLAMonitor

Component View
VO Management
Application Service
Gateway
Gateway
actualservice
II.Messaging


SLA Manager

SLA Repos.

Factory

CDL++2 BPEL

BPMService

Instan-tiator

Coor-dinator

PEP


Notifica-tion Proxy



GVOA Manager

SLA Manager

SLA Repos.

Member- ship Mgmt

Life-cycle Manager


Instan-tiator

PEP


Notifica-tion Proxy





SLAMonitor

Component ViewMsg: Security & Access Control
(Application) Service
Gateway
(Application) Service
Gateway
actualservice
actualservice
Message toService B
CheckPolicies
Block/Allow
GetToken
Token
ResolveHandle
EPR
Service A = EPR xService B = EPR yService C = EPR z
Forward Messageto EPR y
CheckPolicies
Block/Allow
ValidateToken
Ok/fail
(ResolveHandle)
(EPR)
Message toService B


Instan-tiator

PEP


Notifica-tion Proxy




SLA Manager

SLA Repos.

Factory

CDL++2 BPEL

BPMService

Instan-tiator

PEP


Notifica-tion Proxy




SLAMonitor

SLA Manager

SLA Repos.

Factory

CDL++2 BPEL

BPMService

SLAMonitor

Component View
VO Management
Application Service
Gateway
Gateway
actualservice
III.Trust & Contract Management


SLA Manager

SLA Repos.

Factory

CDL++2 BPEL

BPMService

Instan-tiator

Coor-dinator

PEP


Notifica-tion Proxy



GVOA Manager

SLA Manager

SLA Repos.

Member- ship Mgmt

Life-cycle Manager


Instan-tiator

PEP


Notifica-tion Proxy





SLAMonitor

Component ViewSLA Mgmt (1): Monitoring & Eval.


Component ViewSLA Mgmt: Monitoring & Eval.
Application Service
Gateway
actualservice
StartSLA
CheckSystem
SLAStatus
SLAStatus
SLAStatus
Evaluate
ComplianceInformation
UpdatedReputation
ReputationDrop


SLA Manager

SLA Repos.

CDL++2 BPEL

BPMService

Instan-tiator

PEP


Notifica-tion Proxy




SLAMonitor

SLAMonitor

Component ViewPolicy Violations
Application Service
Gateway
actualservice
Violation
ReputationDrop
Reconfiguration


SLA Manager

SLA Repos.

CDL++2 BPEL

BPMService

Instan-tiator

PEP


Notifica-tion Proxy




SLAMonitor

SLAMonitor

Component ViewSLA Mgmt: Monitoring & Eval.
Application Service
Gateway
actualservice
StartSLA
CheckSystem
SLAStatus
SLAStatus
Evaluate
ComplianceInformation
UpdatedReputation
ReputationDrop
ReputationDrop
Reconfiguration


SLA Manager

SLA Repos.

CDL++2 BPEL

BPMService

Instan-tiator

PEP


Notifica-tion Proxy




SLAMonitor

SLAMonitor

European and Chinese Cooperation on Grid

An example to clarify things
5th October mid-term reviewImperial College London, UK, 5 October 2006
Ignacio SolerAtos Origin SAE


eLearning scenario example
Current application in running in a distributed environment (SOA), previously was a monolithical application.Main goal is to achieve the real market application permitting to learning providers to get into a system which is widely openly, secure, and reliable, with no cost.Real business case.


General Deployment model
TrustCoM
SOAP
SOAP
SOAP
SOAP
SOAP
SOAP
SOAP
Virtual Organisation
MTOM
WS-Addressing
WS-Security
XCAML
MTOM
SSL
WS-Agreement


TrustCoM used Components
Virtual Organisation


VOLearning Deploy Scenario 3
Atos Linux Oracle
Atos Linux Oracle

Atos Linux Java Axis2
Atos WindowsBackEnd
BAE.NET
HLRS.NET
to MMStorage and SLA subsystem
http
http
Albert /Learner
Learning Resource Providers



SLA Setup. Scenario 2
Atos Windows.NET
HLRS.NET + Java
SICS
IC
Make a replacement


SLA Operation. Scenario 2
Atos Windows.NET
HLRS.NET + Java
SICS
IC
Atos Windows.NET
Send timestamp
Send Violation / Fulfillment
Receive Violation / Fulfillment
Send Violation / Fulfillment
Receive Violation / Fulfillment
Send Replacement
Change Update / Policies
Replacement


Business application


SLA Business Appliance
Every time a violation is made, the price raises up.If so many times the violation is produced, a replacement is needed.On the other hand if the fulfillment of the SLA is accomplished, then the price is getting lower.


Deployment effort for introducing new providers
Replacement a supplier on the flyLess Person effortNo need to register to the STSSLA in place, monitoredTrusted & secured frameworkAwareness of providing good provision to the weaker partner. (Learner)


Conclusion
Security, no cost to become a new supplier.Within the implementation of this test bed, the providers have a fully functional platform, to just get in the TrustCoM framework, without doing major changed to their respectively previous legacy systems, allowing though to ensure a correct, secure, and reliable transmission of the courses throw the internet.


Backup slides.


WS-Trust & SAML
A WS-Trust and a SAML token profile for virtual organizations as scoped federationsTo support different forms of federation an STS must be separate from a PDP e.g. PKI, temporary tokens, context space protocolsThe Trustcom architecture divides the STS from the PDP to support a PDP that only uses attributes and not tokensDividing the STS from the PDP requires separate protocols for each to talk to the PEP.SAML alone is deficient to talk to a PDP because it doesnt support obligations or the passing of operation argumentsThe profile will specify how web service components (e.g. PEP) communicate with security token services (STS) to request an STS to issue and validate cross-organizational security tokensConverging Microsoft protocol WS-Trust & SAML with SAML standard.This standardisation will be demonstrated by replacing the EMIC STS (WS-Trust & SAML) with the UoK one (SAML only) within TrustCoM for the subset of activity that SAML addresses (STS to PEP communication).


XACML
Transport of policies between a policy service and PDPs uses XACMLXACML itself does not define any kind of transport formats for policies. This profile defines transport formats for policies Policies are enveloped in a signed transport format for secure distributionXACML is a general standard and does not discuss web servicesThe profile also defines how to extract attributes from the SOAP header to identify who is making the request for a service, which action they request etc


Documents

TrustCoM