Manualshelf

Datasheet

ManualsBrandsWiley ManualsSoftware978-0-470-62446-3
21222324252627282930
Chapter 1 Internet Era: E-Commerce 27
of a single sign-on (SSO) functionality that is integrated with these tools pro-
vides the best way to avoid proliferation of passwords and login methods both
for system administrators as well as automation tools. The steps required to
implement a single sign-on solution are:
Defining centralized user and role repository for management tools
Implementing an SSO framework that supports multiple access control
methods (Web, Web services, API-based, and so on)
Integrating the control plane tools with the SSO framework
For the users of the cloud computing infrastructure, it must provide SSO
and delegation capabilities to reduce the number of times that the users must
enter their credentials when multiple resources are used (a common use case
in distributed management scenarios). This is done by creating a proxy that
consists of a new certificate (with a new public key in it) and a new private key.
The new certificate contains the owner’s identity that is modified slightly to
indicate that it is a proxy. The new certificate is signed by the owner rather than
a certification authority (CA). The certificate also includes a time stamp after
which the proxy should no longer be accepted by others.
Role-Based Access Control
The authorization framework should support Role-based access control (RBAC)
as defined in the NIST RBAC standard
10
and implemented in the XACML
11
specification.
Credential Store
The repository that is used to store the credentials of tools and devices is an
important asset. The automation of operations on managed elements such as
routers and servers requires that the automation tool and the devices authenticate
each other. The credentials used for the authentication have to be provided at
the authentication time by the automation framework. Multiple methods can
be used to provide these credentials:
Store the credentials in the script/workflow.
Ask the user for the device credentials.
Use a secure centralized credential store.
Use SSO solutions such as Kerberos.
The ideal situation where SSO is used may not be possible in all cases because
devices do not support such a model. Therst two methods are either not secure
624463c01.indd 27 3/29/11 2:26:36 AM