ORBAsec SL3 3.5

ORBAsec SL3 is an implementation of the standard CORBA Common Secure Interoperability Version 2 (CSIv2) Protocol with our SecurityLevel3 and TransportSecurity interfaces.

Quick Reference

ORBAsec SL3 Introduction

ORBAsec SL3 Release Notes

ORBAsec SL3 License

ORBAsec SL3 Change Log

ORBAsec SL3 IDL API Documentation

In the last release of ORBAsec SL3 we added support for Kerberos, and the Kerberos User-to-User protocol along with support for the use of the ATLAS, which is the OMG's Authorization Token Layer Acquisition Service . This service allows you to plug-in your own authorization tokens into the CSIv2 protocol.

In the current release, we have added an implementation of a client ATLAS cache, which you may use to avoid downloading valid authorization tokens over and over.

The big news for ORBAsec SL3 is the freedom from having to use IONA's ORBacus for Java. The Adiron Team has built an ORB for which to plug ORBAsec SL3 in. The AdironORB is a rework of the Community OpenORB to modularize the internal ORB components to enable security plug-ins. It is also faster than the Community OpenORB.

ORBAsec SL3 still supports both Kerberos and SSL/TLS. The Kerberos technology allows single-signon/login capability to using CORBA clients and servers, and is compatible with Windows 2000 authentication servers . User-to-User Kerberos protocol allows CORBA servers to use Kerberos authentication from your Kerberos Credentials Cache. This capability means that you can use your login credentials (i.e. from the "kinit" program) to act as a server, whereas before, you needed to supply your password directory to the CORBA application.

CORBA CSIv2 is standard Security Protocol for CORBA, which is a recently adopted OMG specification and is endorsed and referenced by the Enterprise Java Beans specification for EJB security.

ORBAsec SL3 and AdironORB gives you the security you need in developing secure applications. ORBAsec SL3 provides you the functionality to get you authentication, secure requests, and the ability to build your own access control within your client or server application. With ORBAsec SL3 you can:

Use Kerberos Authentication and message security.
Integrate with Windows 2000 Authentication Servers (Win2K KDCs) using Kerberos.
You can also use TSS/SSL and get the message security and authentication of your Public Key Infrastructure (PKI).
Make access decisions based on the identity and credentials of the client.
Make trust decisions based on the identity of the server.

The CSIv2 protocol for CORBA security was developed by many important vendors, such as Sun Microsystems, IBM, and Compaq, as well as Adiron. The players have key market interests in this area, so it has a better chance of just Adiron implementing it.

CSIv2 is merely a CORBA protocol and not an API. ORBAsec SL3 is quite different than its predecessor, ORBAsec SL2 , in that it departs from the CORBA Security Level 2 API.

ORBAsec SL3 gives a brand new API to Distributed Security, which much more dependable and robust. It is based on a mathematical model of principals. You can read about The Principal Calculus in the following paper by Abadi, Lampson, et al., Authentication in Distributed Systems: Theory and Practice.

A security system that is based on mathematical foundations is a system that can be reasoned about. And when you are reasoning about security, you should have a good mathematical foundation to stand on, instead of ad-hoc arguments.

Please subscribe to our sl3-users mailing list.

ORBAsec SL3 Features

The features ORBAsec SL3 supports:

Full functionality of the ORB, ORBacus 4.1.3 for Java .
Common Secure Interoperability Version 2 (CSIv2)

Level 0

Use of SECIOP-Kerberos
Use of TLS/SSL
Use of IIOP (unprotected communication, environments where trust is presumed).
Weak Delegation (The ability to simply state that the request is being made on behalf of another).
Strong Delegation (Impersonation using Kerberos Forwardable Tickets).
Ability to authenticate using a Username/Password scheme.

Level 1

The ability to use privileges. (with the ATLAS)

Level 2

Privilege based delegation (with ATLAS)

Common Security Interoperability Version 1

IIOP - Plain old GIOP over TCP/IP
SSLIOP - Secure Sockets Layer (SSL)
SECIOP-Kerberos

Can use CSIv2, IIOP, SSLIOP, SECIOP-Kerberos for a mixture of security mechanisms all at the same time!

Allows you to perform secure and insecure communication within the same application.

Allows you to talk to legacy objects, IIOP, SSLIOP, SECIOP-Kerberos, and other non CSIv2 objects.

FULL SOURCE CODE!

ORBAsec SL3 is an Available Source distribution, which is free for educational use and evaluation.

FREE EDUCATIONAL AND EVALUATION LICENSES!

ORBAsec SL3 is free for educational, personal use, and evaluation.
Commercial licenses are available for development and deployment in commerical and research environments.

Requirements for ORBAsec SL3 3.5

ORBAsec SL3 3.4.0 requires the following software:

AdironORB available here.
ORBacus 4.1.1 for Java available at www.orbacus.com .
J2SDK 1.3.1 SE or J2SDK 1.4.1 SE available at www.javasoft.com .
iSaSiLk 3.04 available at jcewww.iaik.at/products/isasilk
IAIK-JCE 3.0 available at jcewww.iaik.at
Ant-1.4 available at jakarta.apache.org
JCSI-2.2.1 (Kerberos) available at www.wedgetail.com

The Security Level 3 Interfaces

The Adiron SecurityLevel3 module contains brand new IDL based interfaces for handling the security needs of your objects. It abstracts the CORBA CSIv2 protocol using Credentials interfaces. This concise set of interfaces allows you to control the complexities of the CSIv2 protocol. Also, each identifiable entity in SecurityLevel3 and TransportSecurity is represented by a valuetype called Principal, which is extended to Simple, Quoting, and Proxy Principals. This model for principals allows us to represent the complexity the CSIv2 Protocol gives us in a comprehensive fashion. The valuetype allows us to pass its comprehensive representation to an Access Control Object.

The Transport Security Interfaces

The CSIv2 protocol runs over secure, such as TLS/SSL and SECIOP, and insecure transports (straight IIOP). However, to manipulate the secure transports is also a complex process. Using the same Principal and Credentials models of SecurityLevel3, we provide interfaces for handing the security aspects of the network transport layer that is underneath the ORB protocol (GIOP). Credentials at the TransportSecurity layer also allow us to handle CORBA Common Secure Interoperability Version 1 (CSIv1), which was always done at the transport layer.

Licensing

ORBAsec SL3 is free for evaluation and educational use.
Please contact sales@adiron.com for more information on commercial and research licensing scenarios.
Note: Licensing of all third party software is the buyer's responsibility.

Copyright 2004 Adiron. All Rights Reserved.
"ORBAsec", "AdironORB", and "SL3" are trademarks of Adiron, LLC.
"Java" is a trademark of Sun Microsystems, Inc. "CORBA" is a trademark of the Object Management Group.
Other names, products and services may be the trademarks or registered trademarks of their respective holders.