1 / 39

TrustCoM

TrustCoM A framework for trust, security and contract management in dynamically evolving Virtual Organisation Atos Origin Ignacio Soler Ignacio.solerjubert@atosorigin.com. TrustCoM in a nutshell. TrustCoM vision TrustCoM simplified Architecture A real example using TrustCoM Architecture.

victor-turner
Download Presentation

TrustCoM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TrustCoM A framework for trust, security and contract management in dynamically evolving Virtual Organisation Atos Origin Ignacio Soler Ignacio.solerjubert@atosorigin.com

  2. TrustCoM in a nutshell. • TrustCoM vision • TrustCoM simplified Architecture • A real example using TrustCoM Architecture. European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  3. Overview • TrustCoM has developed a framework for trust, security and contract management in dynamically evolving virtual organisations that will meet the needs of this situation and provide the basis of products and services. European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  4. TrustCoM in a nutshell European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  5. VO Management Types Supporting Service Types Application Service Types Trusted Third Parties from Relationships to actual usage Trust & Security Infrastructure Support SLA Management VO Management Policy Services BP Management SLA Management Trust & Security BP Management VO Management Infrastructure Support Policy Services European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  6. Dis-covery SLA Perf. Log SLA Monitor Factory SLA Repos. SLA Signer Nego-tiator CDL++ 2 BPEL SLA Manager BPM Service Secure Audit Log Data Provider SLA Templ. R. Service Registry Notif. Broker BP Re-pository SLA Evaluator Rep. Mgmt. Policy Service CDL++ 2 BPEL BPM Service SLA Manager SLA Repos. Coor-dinator Notary GVOA Manager Lifecycle Manager Member-ship Mgt Sec. To-ken Svc Factory Rep. Eval. SLA Signer Nego-tiator Putting it all together… VO Management Service Supporting Services Application Service „Gateway“ Trusted Third Parties Service / Resource „Gateway“ „Gateway“ European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  7. 3 2 1 And now: ACTION European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  8. COMPONENT LEVELVIEW Topic Specific Interactions European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  9. VO Management VO Management Service Supporting Services Application Service Application Service Trusted Third Parties Service Service Service Applica-tion Svc. BP Re-pository Applica-tion Svc. SLA Templ. R. Rep. Mgmt. Service Service Registry Policy Service Service Service Service Service Secure Audit Log SLA Evaluator Service VO MgmtService Notary Service Dis-covery VO Manager Service Notif. Broker Rep. Evaluator SLA Perf. Log Service Component View I. Instantiation & Configuration European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  10. Component ViewInstantiation (1) VO Management Application Service Instantiation (contains config, info.) „Gateway“ „Gateway“ Instantiate Instantiation Instantiate Register Services Information About Member European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  11. Component ViewInstantiation (1) VO Management Application Service „Gateway“ „Gateway“ European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  12. Component ViewInstantiation (2) VO Management Application Service „Gateway“ „Gateway“ actual service actual service Instantiate Instantiation Details (EPR) Update Data European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  13. Component ViewConfiguration (1) : Security Tokens VO Management Application Service Token Information „Gateway“ „Gateway“ Issue Tokens actual service TokenInformation European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  14. VO Management Application Service „Gateway“ „Gateway“ Policy Service actual service Component ViewConfiguration (2) : Policies Policy Policies, Roles, Relationships Policy Policy European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  15. Component ViewConfiguration (3) : BPs VO Management Application Service Derived BP „Gateway“ „Gateway“ Collaboration Description (Role) actual service European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  16. VO Management Application Service „Gateway“ „Gateway“ SLA Evaluator actual service Component ViewConfiguration (4) : „starting“ SLAs Instantiate & Configure Start (SLA Id) Start (SLA) Get SLA European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  17. VO Management Application Service „Gateway“ „Gateway“ SLA Evaluator actual service Component ViewConfiguration (4) : „starting“ SLAs Start (SLA) Instantiate & Configure Start (SLA) Get SLA European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  18. (Application) Service (Application) Service Component View VO Management Application Service „Gateway“ „Gateway“ II. Messaging actual service European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  19. Component ViewMsg: Security & Access Control (Application) Service (Application) Service Check Policies Check Policies „Gateway“ „Gateway“ Block/ Allow Block/ Allow Message to Service B Forward Message to EPR y Message to Service B actual service actual service Get Token Validate Token Resolve Handle (Resolve Handle) EPR (EPR) Ok/ fail Token Service A = EPR x Service B = EPR y Service C = EPR z … European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  20. (Application) Service (Application) Service Component View VO Management Application Service „Gateway“ „Gateway“ III. Trust & Contract Management actual service European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  21. VO Management VO Management Service Supporting Services Application Service Trusted Third Parties „Gateway“ „Gateway“ Service Service Service Service Service Service Service Rep. Mgmt. Secure Audit Log VO Manager Rep. Evaluator SLA Perf. Log SLA Evaluator Notary Policy Service SLA Templ. R. Service actual service Component ViewSLA Mgmt (1): Monitoring & Eval. European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  22. VO Management Service Supporting Services Trusted Third Parties SLA Evaluator Service Policy Service SLA Templ. R. Rep. Mgmt. Service Service Service Notary Service Service Service VO Manager SLA Perf. Log Secure Audit Log Rep. Evaluator Service Component ViewSLA Mgmt: Monitoring & Eval. Application Service Updated Reputation Reputation Drop „Gateway“ actual service SLA Status SLA Status Check System SLA Status Compliance Information Evaluate Start SLA European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  23. VO Management Service Supporting Services Trusted Third Parties Policy Service Service SLA Templ. R. Rep. Mgmt. Service Service Service Notary Service Service VO Manager Secure Audit Log Rep. Evaluator SLA Perf. Log SLA Evaluator Service Service Component ViewPolicy Violations Application Service Reputation Drop „Gateway“ actual service Reconfiguration Violation European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  24. VO Management Service Supporting Services Trusted Third Parties Service SLA Templ. R. Service Service Service Service Notary SLA Evaluator Rep. Mgmt. Policy Service Service VO Manager Secure Audit Log Rep. Evaluator SLA Perf. Log Service Service Component ViewSLA Mgmt: Monitoring & Eval. Application Service Updated Reputation Reputation Drop Reputation Drop „Gateway“ actual service SLA Status SLA Status Check System Compliance Information Evaluate Reconfiguration Start SLA European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  25. An example to clarify things… 5th October mid-term review Imperial College London, UK, 5 October 2006 Ignacio Soler Atos Origin SAE

  26. eLearning scenario example • Current application in running in a distributed environment (SOA), previously was a monolithical application. • Main goal is to achieve the real market application permitting to learning providers to get into a system which is widely openly, secure, and reliable, with no cost. • Real business case. European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  27. Atos Linux Java Axis2 HLRS .NET + Java Atos Linux Oracle Atos Windows .NET IC Java SICS Java Atos Windows Browser General Deployment model SOAP SOAP MTOM TrustCoM SOAP WS-Addressing MTOM WS-Security SOAP WS-Agreement Virtual Organisation XCAML SOAP SOAP SOAP SSL European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  28. PEP 4 Client PEP 4 Server SLAManager SLAManager NotificationBroker Oracle Database VO SLAManager Running at Atos Linux Java Axis2 LRProviderGateway SLAMonitor Notification Proxy Accounter PDP Running at HLRS NotPxyFactory LRProvider PortalProviderGateway SLAEvaluator MMStorage SLA Monitor Factory SLAPerformanceLog PolicyService DataBase MySQL SIR Running at Atos Linux Oracle Running at Atos Windows .NET Running at BAE Running at IC Running at SICS STS-LRP STS-PP TrustCoM used Components Virtual Organisation European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  29. PEP 4 Client PEP 4 Server PEP 4 Client Oracle Database PEP 4 Server Browser PDP LRProvider LRProviderGateway PortalProviderGateway STS- LRP STS-PP VOLearning Deploy Scenario 3 Learning Resource Providers Atos Linux Oracle HLRS .NET Atos Linux Oracle BAE .NET Atos Linux Java Axis2 to MMStorage and SLA subsystem http http Atos Windows BackEnd Albert /Learner European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  30. European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  31. 1. Get an EPR from the factory [5] setSLA(SLA, Noxy EPR) [1] getInstance Accounter [4] register to SLAStatusUpdate as producer SLA Monitor Factory SLA Monitor NoxyFactory Notification Proxy Notification Broker Policy Service SLA Manager MMStorage SLA Evaluator Service Instance Registry SLA Performance Log SLA Manager VOManager [2] getInstance Noxy [3] getInstance + registry Broker [4] register to SLAStatusUpdate [6] subscribe to SLAStatusUpdate as Consumer [7] Register as SLANotification as Producer [8] Subscribe to SLAViolationtopic. SLA Setup. Scenario 2 Atos Windows .NET HLRS .NET + Java Make a replacement SICS IC European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  32. PEP 4 Server PEP 4 Client LRProviderGateway SLA Monitor Notification Proxy MMStorage Policy Service SLA Evaluator VOManager PortalProviderGateway SLA Operation. Scenario 2 Atos Windows .NET Atos Windows .NET Send timestamp Send Violation / Fulfillment Replacement HLRS .NET + Java Change Update / Policies Receive Violation / Fulfillment Send Violation / Fulfillment Send Replacement SICS IC Receive Violation / Fulfillment European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  33. Business application European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  34. SLA Business Appliance • Every time a violation is made, the price raises up. • If so many times the violation is produced, a replacement is needed. • On the other hand if the fulfillment of the SLA is accomplished, then the price is getting lower. European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  35. Deployment effort for introducing new providers • Replacement a supplier on the fly • Less Person effort • No need to register to the STS • SLA in place, monitored… • Trusted & secured framework • Awareness of providing good provision to the weaker partner. (Learner) European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  36. Conclusion • Security, no cost to become a new supplier. • Within the implementation of this test bed, the providers have a fully functional platform, to just get in the TrustCoM framework, without doing major changed to their respectively previous legacy systems, allowing though to ensure a correct, secure, and reliable transmission of the courses throw the internet. European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  37. Backup slides. European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  38. WS-Trust & SAML • A WS-Trust and a SAML token profile for virtual organizations as “scoped federations” • To support different forms of federation an STS must be separate from a PDP – e.g. PKI, temporary tokens, context space protocols • The Trustcom architecture divides the STS from the PDP to support a PDP that only uses attributes and not tokens • Dividing the STS from the PDP requires separate protocols for each to talk to the PEP. • SAML alone is deficient to talk to a PDP because it doesn’t support obligations or the passing of operation arguments • The profile will specify how web service components (e.g. PEP) communicate with security token services (STS) to request an STS to issue and validate ‘cross-organizational’ security tokens • Converging Microsoft protocol WS-Trust & SAML with SAML standard. • This standardisation will be demonstrated by replacing the EMIC STS (WS-Trust & SAML) with the UoK one (SAML only) within TrustCoM for the subset of activity that SAML addresses (STS to PEP communication). European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

  39. XACML • Transport of policies between a policy service and PDPs uses XACML • XACML itself does not define any kind of transport formats for policies. • This profile defines transport formats for policies • Policies are enveloped in a signed transport format for secure distribution • XACML is a general standard and does not discuss web services • The profile also defines how to extract attributes from the SOAP header to identify who is making the request for a service, which action they request etc… European and Chinese Cooperation on Grid Beijing – 7 to 9 February 2007

More Related