![[SicAri Logo Strip]](images/banner-left.png)
![[SicAri Logo Strip]](images/banner-center.png)
![[SicAri Logo Strip]](images/banner-right.png)
(1) Middleware related features
Architecture
- modular architecture
- comparable to an operating system
- consistent service concept
- extensibility through creation of own services and service providers
- hierarchical service namespace allows fine-grained security enforcement
Adminstration/Maintenance
- command shell which is as powerful as a UNIX shell
- scripting simplifies configuration and bootstrapping
- flexible configuration and monitoring during runtime
- remote login (Telnet, Telnet over SSL/TLS)
- services/modules are individually configurable
- graphical user interfaces for service management
Web interface
- Web servlet framework (compatible to Tomcat's servlet framework)
- integrated mechanism to provide web resources (images, etc.) temporarily for dynamic Web page presentation
- integrated HTTP and HTTPS server, the later enforcing client authentication during SSL/TLS handshake if needed
Web service framework
- transparent, and fully automated support of Web services
- automatic server resp. client stub generation from regular Java classes during runtime
- UDDI-based service management for service provisioning and discovery
- use of unequivocal service identifiers based on hashcode over the interface's method signature
- Web services based communication layer between distributed SicAri platforms further provides interoperability with foreign service infrastructures
(2) Security related features
Flexible creation and specification of security policies
- role-based security policies (RBAC, Role-Based Access Control)
- security policies specified in RBAC-compliant XACML
- fine granular rights management
Sandboxing of executed components, if necessary
- service environment as the only interaction interface between services and/or applications
- various proxy modules wrap services within environment to ensure proper isolation (security context switch, thread context switch, etc.)
- individual thread group for each authenticated user on the local platform
- strictly controlled access to service environment and basic kernel features
Authentication and Authorization
- authentication based on Java's Authentication and Authorization Service (JAAS)
- support for username/password-, softtoken- (i.e. keystore files), smartcard-, and SSL/TLS-based user authentication
- provision of local, glocal, and remote authentication schemes within the SicAri infrastructure
- support for mobile JavaME-based clients and other non-SicAri systems
- signed ASN.1- or SAML-based security token as result of successful user authentications
- SicAri security token especially allows service authorization during accessing to remote service platform
- use of current Web services security standards to handle and transmit security tokens between distributed platforms (e.g. as SAML-conform security token)
Identity and key management
- integrated support for local file-based and global LDAP-based identity management
- usage of file based and LDAP-based certificate stores
- intrinsic support of cryptographic key material for user authentication, data encryption, and digital signature generation
Holistic policy management
- concept for security policy management comprises policy generation, validation, administration, distribution, decision and enforcement
- SicAri platform provides local policy enforcement, policy decision, and policy administration
- proper interfaces allow integration of policy distribution, and remote policy administration
- current plans to integrate corresponding modules, soon
Cryptography
- own independent ASN.1 implementation
- cryptographic provider from Technical University of Darmstadt, Germany
Support of international and de facto standards
- ITU-T X.680/ITU-T X.690 (ASN.1,DER/BER)
- ITU-T X.509v3 (certificates, PKI)
- PKCS (digital signatures, certificate requests, certificate, PKI)
- JCA/JCE (Java cryptography architecture, Java cryptography extension, pluggable cryptographic service providers (CSPs), flexible algorithm support, use of third party CSPs possible)
- ZIP/JAR as standard for storage of components
- SSL/TLS: remote configuration, agent transport
- LDAP: certificate management
- WS-Enc, WS-DSig, SAML, XACML: and other WS-Security standards
Home