Presentation is loading. Please wait.

Presentation is loading. Please wait.

HL7 CCOW Meeting, Sept. 2003 CCOW Support for Kerberos Problem Statement: Application is CCOW User Link-compliant and uses Kerberos to connect to back.

Similar presentations


Presentation on theme: "HL7 CCOW Meeting, Sept. 2003 CCOW Support for Kerberos Problem Statement: Application is CCOW User Link-compliant and uses Kerberos to connect to back."— Presentation transcript:

1 HL7 CCOW Meeting, Sept CCOW Support for Kerberos Problem Statement: Application is CCOW User Link-compliant and uses Kerberos to connect to back end services Application needs Kerberos service ticket CCOW user at workstation may be different than user logged on to workstation's operating system Application needs to obtain ticket for CCOW user, as opposed operating system user

2 HL7 CCOW Meeting, Sept Simplified Kerberos Architecture Kerberos Distribution Center (KDC) Kerberized Application Kerberized Service Client Operating System 1. Authenticate 3. Use Application 2. Get Ticket Granting Ticket (TGT) 5. Use Service Ticket to Access Service 4. Get Service Ticket

3 HL7 CCOW Meeting, Sept Ticket Facts Tickets are bound to a service Forwadable tickets can be used to get to a nested service Tickets expire or can be used once (I.e., fast expiration) Tickets are doubly encrypted: first so only authenticating application can decrypt second so only service can decrypt

4 HL7 CCOW Meeting, Sept CCOW Kerberos Architecture Kerberos Distribution Center (KDC) Kerberized Application Kerberized Service Authenticating Application 1. Authenticate 3. Use Application 2. Get Ticket Granting Ticket (TGT) 5. Use Service Ticket to Access Service 4. Get Service Ticket Client Operating System Context Manager

5 HL7 CCOW Meeting, Sept CCOW Kerberos Details Define a Get Kerberos Service Ticket context action Action agent would effectively be the CCOW authenticating application Based inputs/outputs/errors on GSS-API specification (RFC 1964) Keep this action Kerberos-specific as generalization yields complexity

6 HL7 CCOW Meeting, Sept Kerberos Action Specification Input NameCCOW Data TypeDescription Flags?Ticket granting service flags Realm?The requested realm ??? ServiceNameSTName of target service IPAddressesST (repeating)Address(es) for target service ExpirationTSTicket expiration time Output NameCCOW Data TypeDescription TicketST (character- encoded binary per CCOW Arch. Spec) The service ticket Error?Error, if any (RFC1510)

7 HL7 CCOW Meeting, Sept Discussion Need real use-cases and Kerberos knowledgeable engineers willing to work on this. Can the solution also work for other authentication methods (Certificates, Biometrics, etc). –SAML ?


Download ppt "HL7 CCOW Meeting, Sept. 2003 CCOW Support for Kerberos Problem Statement: Application is CCOW User Link-compliant and uses Kerberos to connect to back."

Similar presentations


Ads by Google