6 Itf-N Security Service Behaviour

32.3733GPPCommon Object Request Broker Architecture (CORBA) solutionSecurity services for Integration Reference Point (IRP)Telecommunication managementTS

This clause describes some behaviours of IRPManager and IRPAgent not captured by IDL in RI Solution and SAS Solution respectively. IRPManager and IRPAgent should apply RI Solution or SAS Solution to provide Authentication, Authorization and Activity Log Security Service.

6.1 Request Interceptor Solution

At configuration/deployment time, Request Interceptor on IRPManager and IRPAgent side should be configured to run respectively before IRPManager and IRPAgent start to run.

6.1.1 Authentication

This clause addresses how to use Request Interceptor to provide IRPManager Authentication and IRPAgent Authentication as well if required.

When IRPManager sends request to IRPAgent, Client-side Request Interceptor request credential from local Security Service, then inserts it into service context and attaches the service context to the request; when IRPAgent receives the request, Server-side Request Interceptor extracts the service contexts attached to the request and performs authentication method to check the validity of the credential inserted. If the check succeeds, Server-side Request Interceptor performs authorization for the request and works with the request as normal after successful authorization, otherwise an authenticationException is raised and sent to IRPManager by Server-side Request Interceptor.

When IRPAgent has processed the request from IRPManager and is going to sends result, Server-side Request Interceptor may insert IRPAgent’s credential into a service context and attach the service context to the result; when IRPManager receives the result, Client-side Request Interceptor may extract the service contexts including the IRPAgent’s credential and check its validity. If the check succeeds, IRPManager works with the result as normal, otherwise an authenticationException is raised and sent to IRPManager by Client-side Request Interceptor.

Implementation may or may not support IRPAgent authentication; if implementation supports IRPAgent authentication, it shall be configured at configuration/ deployment time; this configuration is not changeable at running time.

How IRPManager side local authentication mechanism and IRPAgent side local authentication mechanism cooperate to complete authentication is not standardized in this release.

6.1.2 Authorization

This clause addresses how to resolve Authorization requirement by using Request Interceptor.

IRPAgent is able to extract accessor Identifier from the credential attached to the request.

Each time IRPAgent receives request, Server-side Request Interceptor extracts accessor identifier from the credential attached to the request.

Server-side Request Interceptor is also able to retrieve request related information.

Server-side Request Interceptor then checks the accessor identifier, request related information against Access Control Policy predefined in IRPAgent to decide to accept the request or not. If the check succeeds, IRPAgent works with the request as normal, otherwise an authorizationException is raised and sent to IRPManager by Server-side Request Interceptor.

6.1.3 Activity Log

This clause addresses how to log activity of IRPAgent by means of Request Interceptor.

Server-side Request Interceptor logs activity of IRPAgent in the following way:

1. After receiving operation request, Server-side Request Interceptor logs the received operation request and corresponding parameters, sender identifier, and timestamp.

2. After finishing IRPManager Authentication, Server-side Request Interceptor logs authentication result.

3. After finishing Authorization, Server-side Request Interceptor logs authorization result.

4. After sending operation result, Server-side Request Interceptor logs operation result, i.e. normal reply or system/user exception.

6.2 Security Attributes Service Solution

This clause addresses how to provide IRPManager Authentication, IRPAgent Authentication, Authorization, and Activity Log Security Service by using Security Attributes Service.

At configuration/deployment time, IRPManager and IRPAgent should be configured to run over CORBA Security Service providing authentication service, authorization service and security audit service.

6.2.1 Authentication

IRPManager invokes operation authenticate (defined in CORBA Security Service specification [8]) to get a credential as a warrant.

Optionally, IRPManager may continue to invoke operation continue_authentication (defined in CORBA Security Service specification [8]) to carry out mutual authentication.

6.2.2 Authorization

When operation request reaches IRPAgent, IRPAgent side CORBA Security Service extracts accessor identifier from the credential attached to the request and invokes operation access_allowed (defined in CORBA Security Service specification [8]) to accomplish authorization due to the accessor identifier and predefined Access Control policy.

6.2.3 Activity Log

CORBA Security Service provides Security Audit Service. IRPAgent invokes operation audit_needed (defined in CORBA Security Service specification [8]) to decide which security activity/event to be logged; corresponding activity/event are logged by CORBA Security Service automatically when happens. OMG CORBA Security Service [8] defines the following activities/events that can be logged:

AuditAll

AuditPrincipalAuth

AuditSessionAuth

AuditAuthorization

AuditInvocation

AuditSecEnvChange

AuditPolicyChange

AuditObjectCreation

AuditObjectDestruction

AuditNonRepudiation

Annex A (normative):
IDL specifications

NOTE: All the IDL files below are only applicable to RI Solution. SAS Solution related IDL definition is defined in CORBA Security Service specification [8].