Quantum Architecture Overview


Published on

managing human and device identities in unified communication and SOA

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Quantum maintains three centralized repositories: Repository about people (Identity), who they are, the information that is related to each people (phone number, e-mail, password), how to keep them in sync with external people database (LDAP sync), how to correlated authentication processes (external authentication, federation) ‏ Repository about network, what are in the network (applications, devices), what can they do (supported Web Services WSDL etc.), how to reach them Repository about network security polices that can make sure people use or manage the network with CIA (Confidentiality, Integrity and Availability) ‏
  • Quantum Framework 1.0 is the about integration of CS1000 OAM security with MFT carrier security solution. A lot of valuable lessoned. Quantum Framework 2.0 is a total re-write of the internal components: (Target products is CS1000, Multimedia applications, Contact Centers. ) ‏ Better architecture, remove dependencies on MFT code, work directly with OpenSSO. UDDI based network metadata repository. Build the core of SOA. Pure Java based Private Certificate Authority, SOA based certificate management. Security enabled notification framework based on JBoss JMS. Quantum Framework 3.0 is about subscribers authentication and integration into the Unified Communication.
  • Quantum Architecture Overview

    1. 1. Quantum Framework Identity and Trust Jin Peng Feb 12, 2009
    2. 2. Identities in System (Network) Management <ul><li>People Identity Management </li></ul><ul><ul><li>Creation, management and deletion of administrative users </li></ul></ul><ul><ul><li>User authentication (login), Single Sign-On, Federation </li></ul></ul><ul><ul><li>Role/Policy based flexible access control </li></ul></ul><ul><ul><li>Other security polices (password complexity, session time out etc) ‏ </li></ul></ul><ul><li>Network Element Identity Management </li></ul><ul><ul><li>Network element joins security domain and register itself </li></ul></ul><ul><ul><li>Keep track of network element's Metadata (IP Address, Element Type, Release Number) ‏ </li></ul></ul><ul><ul><li>Keep track of network element's public key and X.509 certificate </li></ul></ul><ul><ul><li>Keep track of Web services supported by network element and standard Universal Description Discovery and Integration (UDDI) interface </li></ul></ul><ul><ul><li>Provide the common registry for other services and data Mashup </li></ul></ul>
    3. 3. Quantum Framework Bring people and network together through identity and trust management People Identity Network Element Identity AAA PKI Security Confidentiality, Integrity, Availability (CIA) ‏
    4. 4. Open Source Stack JAVA JBOSS OpenSSO SpringFrame Bounty Castle OpenSSL JavaSSH Quantum Frame CND (openLDAP) ‏ <ul><li>Quantum is combination of JBoss and OpenSSO and other other source projects. It is built and maintained in Norforge as a internal OpenSource program. It is presently used by CS1k, MAS, CC7, AS5300 MAS, and CDN. </li></ul><ul><li>Quantum provides the following functions. </li></ul><ul><li>Central registry via UDDI </li></ul><ul><li>RBAC authorization and authentication to all application running in Jboss </li></ul><ul><li>Single sign on across application and hardware platforms </li></ul><ul><li>PKI management, radius support, external A&A etc. </li></ul>
    5. 5. Quantum Framework Primary Quantum Frame (1) ‏ <ul><li>Quantum is deployed in 3 possible options </li></ul><ul><li>Primary </li></ul><ul><li>Backup </li></ul><ul><li>Member </li></ul>Backup Quantum Frame (0/1) ‏ Member Quantum Frame (0/n) ‏ member Quantum Frame (0/n) ‏ member Quantum Frame (0/n) ‏
    6. 6. Common Login and Single Sign-On Common Login page for a security domain Only login once, Single Sign-On inside the security domain Built-in RADIUS service for CLI login
    7. 7. Manage administrative user
    8. 8. Support multiple external authentication protocols
    9. 9. Role based per element type or per instance access control
    10. 10. Support different permissions (authorization model) for different type of element
    11. 11. Control security policies centrally
    12. 12. Monitor Active Sessions
    13. 13. Review Audit Log
    14. 14. A Common Registry for Network Elements <ul><li>Element registry is the fundamental lookup table for the network </li></ul><ul><li>It keeps track of what devices are in the network, what can they do, how to reach them, the URL to manage them etc </li></ul><ul><li>Using Public-key cryptography, each network is uniquely identified by its RSA key pairs or X.509 certificate: assure we are talking to the right elements </li></ul><ul><li>Element grouping keeps track of the relationships of network elements </li></ul><ul><li>Standard base UDDI Web service support for element registry </li></ul>
    15. 15. Manage Network Elements network level services can be integrated dynamically into the main navigator New type of network element, new instance of elements and their web based management console can be registered dynamically.
    16. 16. Dynamic grouping of registered elements and network services You can only see links that you are granted access rights
    17. 17. Mashup with Quantum Framework Quantum: Network metadata registry: (Universal Description Discovery and Integration) ‏ what are on the network (inventory), what can they do (SOA), what are their relations, how to reach them, how to protect them (security) ‏ Quantum: Security: AAA and PKI Fault/ Performance Management Other Network services Subscriber Management Configuration Deployment Patching Quantum Framework Third party Applications Nortel Management Applications Combinations of Third party discovery and Nortel Registration Legends:
    18. 18. Launches Subscriber Manager Launches Deployment Manager Launches SNMP Profile Manager Launches NRS Manager Launches Element Manager, BCC Launches Base Manager Launches Central Patch Manager Graphical View of CS1000 Services Mashup on top of Quantum Framework
    19. 19. An example of Mashup service based on element registry: Central Deployment Management
    20. 20. Circle of Trust Base on Public Key Infrastructure <ul><li>A user trusts a network element based on </li></ul><ul><ul><li>It has a public key that can be trusted or </li></ul></ul><ul><ul><li>It has a x.509 certificate issued by a trusted certificate authority </li></ul></ul><ul><li>A network element (or its management application) trusts a user based on </li></ul><ul><ul><li>Authentication result: is the user authenticated </li></ul></ul><ul><ul><li>Access control decisions from the trusted Policy Decision Point: what an authenticated user can do on the element </li></ul></ul><ul><li>A network element trust another network element based on </li></ul><ul><ul><li>It has a public key that can be trusted or </li></ul></ul><ul><ul><li>It has a x.509 certificate issued by a trusted certificate authority </li></ul></ul>
    21. 21. Circle of Trust (Manage network elements' X.509 certificate, trusted Certificate Authority and Certificate Revocation List centrally ) ‏
    22. 22. Circle of Trust (Built-in Private Certificate Authority to bootstrap the trust and reduce cost of using commercial CA ) ‏
    23. 23. Internal Open Source <ul><li>Host in norforge https://norforge.nortel.com/projects/quantum/ </li></ul><ul><li>Released in MAS ICP 6.1 </li></ul><ul><li>To be released in CS1000 release 6.0, Contact Center release 7.0, MAS AS5300, MAS A2E release and Converged Data Network release </li></ul>
    24. 24. Integration options with Quantum Framework There are a number of possible integration options. From the most loosely coupled hyper link model to fully engaged with the network level mash service or even provide new network Mashup services. Level 1: Add the URL of your application as bookmark in Quantum's element table level 2: Integrate with Quantum's authentication service, achieve Single Sign-On and common login through RADIUS, (REST or SOAP )Web Service, SAML based Federation etc. Level 3: Integrate with Quantum's authorization and UDDI element registry service, declare your own element type, registered your applications as managed element or services, query access control decisions from Quantum's central PDP (Policy Decision Point) ‏ Level 4: Declare supported (Web) services in your element type definition, integrate with existing network Mashup services such as Subscriber Manager, Certificate Manager, Deployment Manager Level 5: Create new network Mashup services (alarm management, Performance management, topology management)
    25. 25. Subscriber Manager Deployment Manager Central Patch Manager IP-Sec Management SNMP Profile Manager Element Manager EM Phone Provisioning EM Node Manager NRS Manager Central User Manager Base Manager SNMP Agent in Elements UCM Framework CP for SNMP, NTP, Security SNMP Trap Server System Level Network Level Hardware CPU level Quantum in CS1000 - Network, System and Hardware View
    26. 26. CND MySQL config CS1000 System 1 Web Services xmsg ftp Quantum in CS1000: Physical Deployment view of Muti-system – network view Cust AD MySQL CS1000 System 2 MySQL config Linux UCM -m EM/BCC Call Server Linux UCM-primary SubMgr Linux UCM-back NRSM TPS GW Linux L-SLP Linux NRS/SPS UCM-m L-SLP Linux ECM-m ECM-m TPS GW Linux ECM-m MC Vxworks Vxworks SMS comp Core comp Linux UCM EM/BCC Call Server TPS GW TPS GW Linux UCM MC Vxworks VxEll L-SLP Linux UCM-m
    27. 27. Quantum Framework Evolution Path Identity Management Administrative User Subscriber Network UDDI Element Registry System Management People Unified Communication Centralized AAA,PKI SOA , MOM ( Message Oriented Middleware ) ‏ What we do now What we do next