Get documents about "An Introduction to Middleware and Related Technologies
Document Sample
An Introduction to Middleware
and Related Technologies
Miroslav Milinovic
SRCE / CARNet
Zagreb, Croatia
<miro@srce.hr>
8th CEENet Workshop on Network Technology, Budapest, Hungary, August 2002.
MM-MW/1
Content
• Needs & challenges
• What is middleware?
• Middleware: scope and activities
• Directories
• AAA (and PKI)
• GRID
• Web services
MM-MW/2
Needs
• Use combination of remote resources
to fulfill a task:
• computation
• data handling
• information retrieval
• visualization
• collaboration support
• multimedia distribution
• experimentation
MM-MW/3
Challenges
• Different perspectives:
– providers (service and/or content)
– intermediaries
– users (individual and/or organisations)
• Different problems:
– technical (programming could be difficult)
– non-technical (laws & policies, organisational and social aspects)
MM-MW/4
What is Middleware?
• history:
– RFC1862 (November 1995): “Replication and caching
schemes could form a sort of network "middleware" to fulfill a
common need of distributed services.”
– RFC 2768 (February 2000): “Network Policy and Services: A
Report of a Workshop on Middleware”
• broad definition:
– “glue” between the network infrastructure and user applications
• commonly used word (buzzword?) with unclear scope
MM-MW/5
What is Middleware?
• specialized networked services that are shared by applications
and users
• a set of core software components that permit scaling of
applications and networks
• tools that take the complexity out of application integration
• a second layer of the IT infrastructure, sitting above the network
• the intersection of the stuff that network engineers don’t want to
do with the stuff that applications developers don’t want to do
(Ken Klingenstein)
MM-MW/6
What is Middleware?
• "glue“, a layer of software between the network and
the applications. This software provides services
such as identification, authentication, authorization,
directories, and security.
• In today's Internet, applications usually have to
provide these services themselves,which leads to
competing and incompatible standards. By promoting
standardization and interoperability, middleware will
make advanced network applications much easier to
use.
(http://middleware.internet2.edu/)
MM-MW/7
A Map of Middleware Land
(Ken Klingenstein / Internet2)
MM-MW/8
Scope
• Core middleware
– Identifiers
– Directories
– Authentication, Authorisation, Accounting (AAA)
– Certificates and PKI
• Upper middleware (Upperware)
– “services that applications would like to have provided for them,
rather than having to perform these functions themselves”
– computing, data repositories, resource discovery, multimedia ...
MM-MW/9
Core Middleware Scope
• Identifiers – namespaces, identifier mappings, ...
• Directories – directory services architectures and tools, standard
object classes, interrealm and registry services, ...
• Authentication – technologies and policies, interrealm
interoperability via PKI, Kerberos, ...
• Authorisation – permissions and access controls, delegation,
privacy management, ...
• Certificates and PKI – technologies (X.509) and polices
• Integration Activities – common management tools, use of
virtual, federated and hierarchical organisations
MM-MW/10
The OSI Reference Model
7 Application
6 Presentation
Middleware
5 Session
4 Transport
3 Network
2 Data link
1 Physical
MM-MW/11
Middleware Model
Application layer
App and platform specific
Middleware Lots of different stuff (protocols, ...)
Well defined
Transport layer
MM-MW/12
Activities
• many players & projects:
–Internet 2 (http://middleware.internet2.edu/)
–Terena (http://www.terena.nl/middleware/)
–A&R community
–industry
–standardisation bodies
• special focus:
–grid community (http://www.globalgridforum.org/)
MM-MW/13
Internet 2 activities
• MACE (Middleware Architecture Committee for
Education)
• Shibboleth (Web access control project)
• VidMid (resource discovery and authentication for
point-to-point and multi-point videoconferencing)
• Early Harvest Draft Best Practices for identifiers,
authentication, and directories
• Multicampus Middleware
• ...
MM-MW/14
Problems solved?
• some of the problems are being solved
• we still seek for:
– better definitions
• architecture?
• scope?
– standards
• how to produce standardised middleware componets?
• standardisation bodies?
• ...
MM-MW/15
Directories
MM-MW/16
Directories
• specialised databases designed for storing and
retrieving information about individuals, organisations,
services, resources, ...
• designed for storing and retrieving information
– fast reading, writing is slower
– static view on the data
– simple updates without transactions
• network protocol for access (Whois, X.500, LDAP, ...)
• history: used for White pages services
MM-MW/17
Directories & Middleware
• essential for almost all middleware services
• move from White pages to Directory Enabled
Networks
• currently LDAP based directories are considered as
the best practice
• activities in:
– IETF
– TERENA
– Internet 2 Middleware
MM-MW/18
Authentication and
Authorisation (AAA)
MM-MW/19
AAA
• Authentication
• Authorisation
• Accounting (Auditing)
MM-MW/20
Authentication
• process of establishing whether or not a real-world
subject is who or what its identifier says it is
• identity can be proven by:
– something you know, like a password
– something you have, like a smart cards or public-key
certificates
– something you are, as with positive photo identification,
fingerprints, and biometrics
• should be secure, efficient and effective
MM-MW/21
Authorisation
• assume the user is known (successfully authenticated)
• the user has attributes determining what he/she is
allowed to do
• the resource has use conditions set by the resource
owner
• authorisation process = make the access decision
• requires mapping user’s attributes with resource’s use
conditions
MM-MW/22
Traditional Applications
Userid / Access
Password Lists Control Lists
multiple userids/passwords mulitiple admins; no common policy
(confused user)
Authentication and authorisation are internal to the application
MM-MW/23
Ultimate goal
application
digital app. gateway
signature
manage keys
one userid/password or pin and priviledges
to access private key
(happy user) fewer admins; common policy
Authentication and authorisation are external to the application
MM-MW/24
Inter-domain Authorisation
• disclosing credentials beyond your administrative
domain:
– virtual organisations
– publishers, distance education, grids, ...
• increased flexibility:
– better than IP address-based authentication
• increased security:
– weak userid/passwd replaced by certificate
MM-MW/25
Inter-domain Authorisation
• Various attempts to create a system:
– Athens
– PAPI
– STPA
– Gestalt
– Shibboleth
• Longer-term architecture:
– IRTF / IETF
MM-MW/26
Basic PAPI Architecture
MM-MW/27
Shibboleth (Internet2)
• Federated administration
• Delegates authentication and attribute assertion to
campuses
• Resource owner requests attributes from campus
and makes decisions based on the response
• Model allows both campus and user control over
attribute release (strong emphasis on privacy)
• At first sight contains no central elements: but
“Shibboleth Clubs” are needed to agree policy etc.
MM-MW/28
PKI - concept
• enhanced security
• Public keys / certificates replace weak user/password
based AA
• Public Key Infrastructure (PKI) is a combination of
– software,
– protocols,
– legal agreements
that are necessary to effectively use certificates.
• X.509 standard for certificates is used
MM-MW/29
Asymmetric Encryption
Cleartext
Public Key
Private Key
Asymmetric Ciphertext
Encryption
Cleartext Asymmetric
Decryption
MM-MW/30
Generation of a Digital Signature
Information to be signed
Private Key
Hashfunction
Asymmetric
Hashvalue Encryption
Digital Signature
MM-MW/31
Verification of a Digital Signature
Signed Information Digital Signature
Hashfunction Asymmetric
Encryption
Public Key
?
Hashvalue Decrypted Signature
=
MM-MW/32
PKI - components
• Certificate Authority (CA), that manages and signs certificates for an
institution
• Registration Authorities (RA), operating under the auspices of the CA, that
validate users as having been issued certificates
• PKI management tools, including software to manage revocations,
validations and renewals
• Directories to store certificates, public keys, and certificate management
information
• Databases and key-management software to store escrowed and
archived keys
• Applications that can make use of certificates and can seek validation of
others' certificates
• Trust models that extend the realm of secure communications beyond the
original CA
• Policies that identify how an institution manages certificates, including legal
liabilities and limitations, standards on contents of certificates, and actual
campus practices
MM-MW/33
PKI components
Infrastructure System End User System
Registration
Signature Component
Certification
Verification Component
Directory
Visualisation Component
Time Stamping
MM-MW/34
PKI in real life
• European directives:
– Digital Signatures Directive
– European Signature Standardization Initiative
– Qualified Certificates (not for NREN´s?)
• National differences
• Deployment started; not all issues well understood
• Start bottom up
– Client cert for SSL (http, imap, ipsec, …)
– Integration with directories (LDAP / X.509)
• Bottom line is trust
MM-MW/35
GRID
MM-MW/36
Current status
• known concepts:
– high-performance computers (supercomputers)
– distributed computing
– clustering
• challenges:
– huge ammount of data (LHC CERN, astronomy, metorology)
– need for computing power
• intensive development of networking technologies
• new models of services on the Internet: E2E, P2P, B2B
MM-MW/37
What is new?
• “The Network is the Computer”
• New approach: standardised use of all resources
accessible through the network
• middleware as standardised interface to all
networked resources (disk space, processing power)
When the network is as fast as the computer's
internal links, the machine disintegrates across the
net into a set of special purpose appliances.
Ian Foster, Gilder Technology Report, June 2000.
MM-MW/38
The Grid
„The Grid is a consistent and standardized environment for
collaborative, distributed problem solving that requires high
performance computing on massive amounts of data that are
stored, and/or generated at high data rates using widely
distributed, heterogeneous resources „
„The Grid is an inherently layered architecture that provides
for common services and a diversity of middleware that
supports building distributed, large-scale, and high
performance applications and problem solving systems. „
(W.E. Johnston as quoted by Ian Foster)
MM-MW/39
What is Grid?
• term “the Grid” was coined in the mid 1990’s (Ian Foster)
• denotes distributed computing infrastructure for advanced science
and engineering
• coordinated resource sharing and distributed problem sloving in
dynamic, multi-institutional, virtual organisations (VO)
• Grid includes/offers:
– distributed computing
– large-scale data handling and analisys
– new posibilities for colaboration:
• communication, computer-in-the-loop instrumentation, science portals
MM-MW/40
What is not Grid?
• Next Generation Internet
– Grid makes use of the Internet
– it is not an alternative to “the Internet”
• substitution for high-performance computers
– we still need them
• source of free computer cycles
• distributed operating system
• name for the new approach to programming
MM-MW/41
Grid Architecture
The Grid: A New Infrastructure for 21st Century Science, Ian Foster
MM-MW/42
Authorisation and authentication
The Grid: A New Infrastructure for 21st Century Science, Ian Foster
MM-MW/43
Globus toolkit
• open source, open architecture SW toolkit
• basic tools for building computational grids
• includes Sw for:
– security (AAA)
– information services
– resource managament
– data management
• http://www.globus.org/
MM-MW/44
Global Grid Forum
• GGF (http://www.globalgridforum.org/)
• the GGF mission:
“to focus on the promotion and development of Grid
technologies and applications via the development and
documentation of "best practices," implementation
guidelines, and standards with an emphasis on "rough
consensus and running code".
• GGF attempts to define standards in an IETF-like
fashion
• brings together grid-like projects and initiatives
MM-MW/45
Web services
MM-MW/46
Web service
• is a network accessible interface to application
functionality, built using standard Internet tehnologies
• any application that can be accessed over a network
using a combination of protocols like HTTP, SMTP, ...
• provide a layer between the application client and the
application code
• Web is used to provide application to application
communication
• W3C work: http://www.w3.org/2002/ws/
MM-MW/47
Web services: model
http://www.ibm.com/software/solutions/webservices/pdf/WSCA.pdf
MM-MW/48
The conceptual WS stack
http://www.ibm.com/software/solutions/webservices/pdf/WSCA.pdf
MM-MW/49
Future (of Internet)
• Semantic Web (Tim Berners-Lee)
• Grid
– Computational Grid (Foster/Kesselman)
• Computing power out of the wall
– Information Grid
• Information about resources, data and the rest
– Knowledge Grid
• Knowledge is relations between concepts and information
MM-MW/50
Future
Data
Complexity
Semantic Semantic
Web Grid
Web Grid
Computational Complexity
(Tony Hey)
MM-MW/51
Summary
• Needs & challenges
• What is middleware?
• Middleware: scope and activities
• Directories
• AAA (and PKI)
• GRID
• Web services
MM-MW/52
Related docs
