An Introduction to Middleware and Related Technologies

1
An Introduction to Middleware and Related
Technologies

• Miroslav Milinovic
• SRCE / CARNet
• Zagreb, Croatia
• ltmiro_at_srce.hrgt

8th CEENet Workshop on Network Technology,
Budapest, Hungary, August 2002.
2
Content

• Needs challenges
• What is middleware?
• Middleware scope and activities
• Directories
• AAA (and PKI)
• GRID
• Web services

3
Needs

• Use combination of remote resources to fulfill a
  task
• computation
• data handling
• information retrieval
• visualization
• collaboration support
• multimedia distribution
• experimentation

4
Challenges

• Different perspectives
• providers (service and/or content)
• intermediaries
• users (individual and/or organisations)
• Different problems
• technical (programming could be difficult)
• non-technical (laws policies, organisational
  and social aspects)

5
What is Middleware?

• history
• RFC1862 (November 1995) Replication and caching
  schemes could form a sort of network "middleware"
  to fulfill a common need of distributed
  services.
• RFC 2768 (February 2000) Network Policy and
  Services A Report of a Workshop on Middleware
• broad definition
• glue between the network infrastructure and
  user applications
• commonly used word (buzzword?) with unclear scope

6
What is Middleware?

• specialized networked services that are shared by
  applications and users
• a set of core software components that permit
  scaling of applications and networks
• tools that take the complexity out of application
  integration
• a second layer of the IT infrastructure, sitting
  above the network
• the intersection of the stuff that network
  engineers dont want to do with the stuff that
  applications developers dont want to do
• (Ken Klingenstein)

7
What is Middleware?

• "glue, a layer of software between the network
  and the applications. This software provides
  services such as identification, authentication,
  authorization, directories, and security.
• In today's Internet, applications usually have to
  provide these services themselves,which leads to
  competing and incompatible standards. By
  promoting standardization and interoperability,
  middleware will make advanced network
  applications much easier to use.
• (http//middleware.internet2.edu/)

8
A Map of Middleware Land
(Ken Klingenstein / Internet2)
9
Scope

• Core middleware
• Identifiers
• Directories
• Authentication, Authorisation, Accounting (AAA)
• Certificates and PKI
• Upper middleware (Upperware)
• services that applications would like to have
  provided for them, rather than having to perform
  these functions themselves
• computing, data repositories, resource discovery,
  multimedia ...

10
Core Middleware Scope

• Identifiers namespaces, identifier mappings,
  ...
• Directories directory services architectures
  and tools, standard object classes, interrealm
  and registry services, ...
• Authentication technologies and policies,
  interrealm interoperability via PKI, Kerberos,
  ...
• Authorisation permissions and access controls,
  delegation, privacy management, ...
• Certificates and PKI technologies (X.509) and
  polices
• Integration Activities common management tools,
  use of virtual, federated and hierarchical
  organisations

11
The OSI Reference Model
12
Middleware Model
Application layer
App and platform specific
Middleware
Lots of different stuff (protocols, ...)
Well defined
Transport layer
13
Activities

• many players projects
• Internet 2 (http//middleware.internet2.edu/)
• Terena (http//www.terena.nl/middleware/)
• AR community
• industry
• standardisation bodies
• special focus
• grid community (http//www.globalgridforum.org/)

14
Internet 2 activities

• MACE (Middleware Architecture Committee for
  Education)
• Shibboleth (Web access control project)
• VidMid (resource discovery and authentication for
  point-to-point and multi-point videoconferencing)
• Early Harvest Draft Best Practices for
  identifiers, authentication, and directories
• Multicampus Middleware
• ...

15
Problems solved?

• some of the problems are being solved
• we still seek for
• better definitions
• architecture?
• scope?
• standards
• how to produce standardised middleware componets?
• standardisation bodies?
• ...

16
Directories
17
Directories

• specialised databases designed for storing and
  retrieving information about individuals,
  organisations, services, resources, ...
• designed for storing and retrieving information
• fast reading, writing is slower
• static view on the data
• simple updates without transactions
• network protocol for access (Whois, X.500, LDAP,
  ...)
• history used for White pages services

18
Directories Middleware

• essential for almost all middleware services
• move from White pages to Directory Enabled
  Networks
• currently LDAP based directories are considered
  as the best practice
• activities in
• IETF
• TERENA
• Internet 2 Middleware

19
Authentication and Authorisation (AAA)
20
AAA

• Authentication
• Authorisation
• Accounting (Auditing)

21
Authentication

• process of establishing whether or not a
  real-world subject is who or what its identifier
  says it is
• identity can be proven by
• something you know, like a password
• something you have, like a smart cards or
  public-key certificates
• something you are, as with positive photo
  identification, fingerprints, and biometrics
• should be secure, efficient and effective

22
Authorisation

• assume the user is known (successfully
  authenticated)
• the user has attributes determining what he/she
  is allowed to do
• the resource has use conditions set by the
  resource owner
• authorisation process make the access decision
• requires mapping users attributes with
  resources use conditions

23
Traditional Applications
Userid / Password Lists
Access Control Lists
mulitiple admins no common policy
multiple userids/passwords (confused user)

• Authentication and authorisation are internal to
  the application

24
Ultimate goal
application
app. gateway
digital signature
manage keys and priviledges
one userid/password or pin to access private key
(happy user)
fewer admins common policy

• Authentication and authorisation are external to
  the application

25
Inter-domain Authorisation

• disclosing credentials beyond your administrative
  domain
• virtual organisations
• publishers, distance education, grids, ...
• increased flexibility
• better than IP address-based authentication
• increased security
• weak userid/passwd replaced by certificate

26
Inter-domain Authorisation

• Various attempts to create a system
• Athens
• PAPI
• STPA
• Gestalt
• Shibboleth
• Longer-term architecture
• IRTF / IETF

27
Basic PAPI Architecture
28
Shibboleth (Internet2)

• Federated administration
• Delegates authentication and attribute assertion
  to campuses
• Resource owner requests attributes from campus
  and makes decisions based on the response
• Model allows both campus and user control over
  attribute release (strong emphasis on privacy)
• At first sight contains no central elements but
  Shibboleth Clubs are needed to agree policy etc.

29
PKI - concept

• enhanced security
• Public keys / certificates replace weak
  user/password based AA
• Public Key Infrastructure (PKI) is a combination
  of
• software,
• protocols,
• legal agreements
• that are necessary to effectively use
  certificates.
• X.509 standard for certificates is used

30
Asymmetric Encryption
Cleartext
Public Key
Private Key
Asymmetric Encryption
Ciphertext
Asymmetric Decryption
Cleartext
31
Generation of a Digital Signature
Information to be signed
Private Key
Hashfunction
Asymmetric Encryption
Hashvalue
Digital Signature
32
Verification of a Digital Signature
Digital Signature
Signed Information
Asymmetric Encryption
Hashfunction
Public Key
Decrypted Signature
Hashvalue
33
PKI - components

• Certificate Authority (CA), that manages and
  signs certificates for an institution
• Registration Authorities (RA), operating under
  the auspices of the CA, that validate users as
  having been issued certificates
• PKI management tools, including software to
  manage revocations, validations and renewals
• Directories to store certificates, public keys,
  and certificate management information
• Databases and key-management software to store
  escrowed and archived keys
• Applications that can make use of certificates
  and can seek validation of others' certificates
• Trust models that extend the realm of secure
  communications beyond the original CA
• Policies that identify how an institution manages
  certificates, including legal liabilities and
  limitations, standards on contents of
  certificates, and actual campus practices

34
PKI components
Infrastructure System
End User System
35
PKI in real life

• European directives
• Digital Signatures Directive
• European Signature Standardization Initiative
• Qualified Certificates (not for NRENs?)
• National differences
• Deployment started not all issues well
  understood
• Start bottom up
• Client cert for SSL (http, imap, ipsec, )
• Integration with directories (LDAP / X.509)
• Bottom line is trust

36
GRID
37
Current status

• known concepts
• high-performance computers (supercomputers)
• distributed computing
• clustering
• challenges
• huge ammount of data (LHC CERN, astronomy,
  metorology)
• need for computing power
• intensive development of networking technologies
• new models of services on the Internet E2E, P2P,
  B2B

38
What is new?

• The Network is the Computer
• New approach standardised use of all resources
  accessible through the network
• middleware as standardised interface to all
  networked resources (disk space, processing
  power)

When the network is as fast as the computer's
internal links, the machine disintegrates across
the net into a set of special purpose
appliances.Ian Foster, Gilder Technology Report,
June 2000.
39
The Grid
The Grid is a consistent and standardized
environment for collaborative, distributed
problem solving that requires high performance
computing on massive amounts of data that are
stored, and/or generated at high data rates using
widely distributed, heterogeneous resources
The Grid is an inherently layered architecture
that provides for common services and a diversity
of middleware that supports building distributed,
large-scale, and high performance applications
and problem solving systems. (W.E. Johnston as
quoted by Ian Foster)
40
What is Grid?

• term the Grid was coined in the mid 1990s (Ian
  Foster)
• denotes distributed computing infrastructure for
  advanced science and engineering
• coordinated resource sharing and distributed
  problem sloving in dynamic, multi-institutional,
  virtual organisations (VO)
• Grid includes/offers
• distributed computing
• large-scale data handling and analisys
• new posibilities for colaboration
• communication, computer-in-the-loop
  instrumentation, science portals

41
What is not Grid?

• Next Generation Internet
• Grid makes use of the Internet
• it is not an alternative to the Internet
• substitution for high-performance computers
• we still need them
• source of free computer cycles
• distributed operating system
• name for the new approach to programming

42
Grid Architecture
43
Authorisation and authentication
44
Globus toolkit

• open source, open architecture SW toolkit
• basic tools for building computational grids
• includes Sw for
• security (AAA)
• information services
• resource managament
• data management
• http//www.globus.org/

45
Global Grid Forum

• GGF (http//www.globalgridforum.org/)
• the GGF mission 
• to focus on the promotion and development of
  Grid technologies and applications via the
  development and documentation of "best
  practices," implementation guidelines, and
  standards with an emphasis on "rough consensus
  and running code".
• GGF attempts to define standards in an IETF-like
  fashion
• brings together grid-like projects and initiatives

46
Web services
47
Web service

• is a network accessible interface to application
  functionality, built using standard Internet
  tehnologies
• any application that can be accessed over a
  network using a combination of protocols like
  HTTP, SMTP, ...
• provide a layer between the application client
  and the application code
• Web is used to provide application to application
  communication
• W3C work http//www.w3.org/2002/ws/

48
Web services model
http//www.ibm.com/software/solutions/webservices/
pdf/WSCA.pdf
49
The conceptual WS stack
http//www.ibm.com/software/solutions/webservices/
pdf/WSCA.pdf
50
Future (of Internet)

• Semantic Web (Tim Berners-Lee)
• Grid
• Computational Grid (Foster/Kesselman)
• Computing power out of the wall
• Information Grid
• Information about resources, data and the rest
• Knowledge Grid
• Knowledge is relations between concepts and
  information

51
Future
Data Complexity
Semantic Web
Semantic Grid
Grid
Web
Computational Complexity
(Tony Hey)
52
Summary

• Needs challenges
• What is middleware?
• Middleware scope and activities
• Directories
• AAA (and PKI)
• GRID
• Web services