Upload
jinpeng
View
425
Download
1
Tags:
Embed Size (px)
DESCRIPTION
managing human and device identities in unified communication and SOA
Citation preview
Quantum FrameworkIdentity and Trust
Jin Peng Feb 12, 2009
Identities in System (Network) Management
People Identity Management
Creation, management and deletion of administrative users
User authentication (login), Single Sign-On, Federation
Role/Policy based flexible access control
Other security polices (password complexity, session time out etc)
Network Element Identity Management
Network element joins security domain and register itself
Keep track of network element's Metadata (IP Address, Element Type, Release Number)
Keep track of network element's public key and X.509 certificate
Keep track of Web services supported by network element and standard Universal Description Discovery and Integration (UDDI) interface
Provide the common registry for other services and data Mashup
Quantum FrameworkBring people and network together through
identity and trust management
PeopleIdentity
NetworkElementIdentity
AAAPKI
Security
Confidentiality, Integrity, Availability (CIA)
Open Source Stack
JAVA
JBOSS
OpenSSO
SpringFrame
Bounty Castle OpenSSL JavaSSH
Quantum Frame
CND(openLDAP)
Quantum is combination of JBoss and OpenSSO and other other source projects. It is built and maintained in Norforge as a internal OpenSource program. It is presently used by CS1k, MAS, CC7, AS5300 MAS, and CDN.
Quantum provides the following functions.• Central registry via UDDI• RBAC authorization and authentication to all application running in Jboss• Single sign on across application and hardware platforms• PKI management, radius support, external A&A etc.
Quantum Framework
Primary Quantum Frame(1)
Quantum is deployed in 3 possible options1.Primary2.Backup3.Member
Backup Quantum Frame(0/1)
Member Quantum Frame(0/n)
member Quantum Frame(0/n)
member Quantum Frame(0/n)
Common Login and Single Sign-On
Common Login page for a security
domainOnly login once, Single
Sign-On inside the security domain
Built-in RADIUS
service for CLI login
Manage administrative user
Support multiple external authentication protocols
Role based per element type or per instance access control
Support different permissions (authorization model) for different type of element
Control security policies centrally
Monitor Active Sessions
Review Audit Log
A Common Registry for Network Elements
Element registry is the fundamental lookup table for the network
It keeps track of what devices are in the network, what can they do, how to reach them, the URL to manage them etc
Using Public-key cryptography, each network is uniquely identified by its RSA key pairs or X.509 certificate: assure we are talking to the right elements
Element grouping keeps track of the relationships of network elements
Standard base UDDI Web service support for element registry
Manage Network Elementsnetwork level services can be integrated
dynamically into the main navigator
New type of network element, new instance of elements and their web based management console
can be registered dynamically.
Dynamic grouping of registered elements and network services
You can only see links that you are
granted access rights
Mashup with Quantum Framework
Quantum: Network metadata registry: (Universal Description Discovery and Integration)
what are on the network (inventory), what can they do (SOA), what are their relations,
how to reach them, how to protect them (security)
Quantum:Security:AAA and
PKI
Fault/Performanc
eManageme
nt
Other Networkservices
SubscriberManageme
nt
Configuration
Deployment
Patching
Quantum FrameworkThird party Applications
Nortel ManagementApplications
Combinations of Third party discovery and Nortel Registration
Legends:
18
Launches Subscriber Manager
Launches Deployment Manager
Launches SNMP Profile Manager
Launches NRS Manager
Launches Element Manager, BCC
Launches Base Manager
Launches Central Patch Manager
Graphical View of CS1000 Services Mashup on top of Quantum
Framework
An example of Mashup service based on element registry: Central Deployment Management
Circle of Trust Base on Public Key Infrastructure
A user trusts a network element based on
It has a public key that can be trusted or
It has a x.509 certificate issued by a trusted certificate authority A network element (or its management application) trusts a user
based on
Authentication result: is the user authenticated
Access control decisions from the trusted Policy Decision Point: what an authenticated user can do on the element
A network element trust another network element based on
It has a public key that can be trusted or
It has a x.509 certificate issued by a trusted certificate authority
Circle of Trust (Manage network elements' X.509 certificate, trusted
Certificate Authority and Certificate Revocation List centrally )
Circle of Trust (Built-in Private Certificate Authority to bootstrap the trust and
reduce cost of using commercial CA )
Internal Open Source
Host in norforge https://norforge.nortel.com/projects/quantum/
Released in MAS ICP 6.1 To be released in CS1000 release 6.0, Contact
Center release 7.0, MAS AS5300, MAS A2E release and Converged Data Network release
Integration options with Quantum Framework
There are a number of possible integration options. From the most loosely coupled hyper link model to fully engaged with the network level mash service or even provide new network Mashup services.
Level 1: Add the URL of your application as bookmark in Quantum's element table
level 2: Integrate with Quantum's authentication service, achieve Single Sign-On and common login through RADIUS, (REST or SOAP )Web Service, SAML based Federation etc.
Level 3: Integrate with Quantum's authorization and UDDI element registry service, declare your own element type, registered your applications as managed element or services, query access control decisions from Quantum's central PDP (Policy Decision Point)
Level 4: Declare supported (Web) services in your element type definition, integrate with existing network Mashup services such as Subscriber Manager, Certificate Manager, Deployment Manager
Level 5: Create new network Mashup services (alarm management, Performance management, topology management)
24
25
Subscriber Manager Deployment Manager
Central Patch Manager IP-Sec Management
SNMP Profile Manager
Element Manager
EM Phone Provisioning EM Node ManagerNRS Manager
Central User Manager
Base Manager SNMP Agent in ElementsUCM Framework
CP for SNMP, NTP, Security SNMP Trap Server
System Level
Network Level
Hardware CPU level
Quantum in CS1000 - Network, System and Hardware View
LinuxUCM -m
EM/BCC
Call Server
LinuxUCM-primary
SubMgr
CND
LinuxUCM-back
NRSMMySQL
config
CS1000 System 1
TPS GWLinux
Web Servicesxmsg
ftp
Quantum in CS1000: Physical Deployment view ofMuti-system – network view Cust
AD
MySQL
L-SLPLinux
NRS/SPS
UCM-m
L-SLPLinux
ECM-m
ECM-m
TPS GWLinux
ECM-m
MCVxworks
Vxworks
SMScomp
Corecomp
LinuxUCM
EM/BCC
Call Server
CS1000 System 2
TPS GWMySQL
TPS GWLinux
UCM
MCVxworks
VxEll
L-SLPLinux
UCM-m
config
Quantum FrameworkEvolution Path
Identity Management
Administrative User Subscriber
Network
UDDI Element Registry
System Management
People
Unified Communicatio
n
Centralized AAA,PKI
SOA, MOM (Message Oriented
Middleware)
What we do now
What we do next