Mini-Tutorial on OMG

Context

• DDB must fit into evolving environment
• evolving OTS technology
• evolving protocol and interface standards OMG only covered in this presentation
• evolving DoD needs, architectures, requirements

Relevant Standards Development Organizations

• OMG - Object Management Group rest of presentation about OMG only
• OGC - Open GIS Consortium
• strong ties to NIMA and industry
• Open Geodata Model Working Group - RFP for Simple Map Features
• now using ISO ODP IDL for model since specs submitted came in four flavors - ActiveX, Java, ODBC, and CORBA
• OGC Services Working Group - RFI for Catalog Services
• Earth Imaging Working Group - RFP for Pixel Manipulation Services
• allow pixels to be modified
• part 1 - support protocols and formats in use
• National Image Transfer Format (NITF)
• Geospatial Tagged Image File Format (GeoTIFF)
• Standardized Data Transfer Service (SDTS)
• part 2 - support new oo protocols
• ODMG - Object Database Management Group
• ODMG-93 now, ODMG-x coming soon
• ISO RM-ODP - Reference Model for Open Distributed Processing
• ISO/ANSI SQL3
• WfMC - Work Flow Management Coalition
• IETF - Internet Engineering Task Force
• W3C - World Wide Web Consortium
• what else? ISO TC 211?

• NIMA Architecture - National Imaging and Mapping Agency
• DARPA ISO Architecture
• JTF, JFACC, ALP, …
• DISA Architecture
• HLA Architecture
• what else?

OMG - hope to cover

• OMG methodology
• stuff the community already has figured out
• OMG directions
• Some specific interests
• space, time, uncertainty (Tenney)
• security - what the specs cover and what they don't (Fabian)

OMG at a Glance

• Good News
• 600+ companies, 1989-present
• one-stop shopping for object technology and middleware standards
• OMA architecture is extensible, componentware is coming
• focus is on interface standards more than wire protocols
• technology marketplace where industry, government, and academia can meet
• Netscape is bundling Visigenics IIOP
• Bad News
• componentwhere is still immature
• composition and federation patterns, marketplace
• few reference implementations
• CORBA does not support
• asynchronous messaging
• ordered delivery
• mobile objects or mobile code (or code at all)
• semantics
• …
• there is competition
• Microsoft OLE
• Java

Organization

• Board
• Architecture Board
• Platform Technical Committee
• ORBOS Task Force - ORB and Object Services
• Common Facilities Task Force
• Workflow Working Group
• Internet SIG
• Real-time SIG
• Security SIG
• Distributed Simulation SIG
• Domain Technical Committee
• OA&D Task Force
• Business Objects Task Force
• Finance Task Force
• Insurance Working Group
• Manufacturing Task Force
• Telecom Task Force
• Electronic Commerce Task Force
• Medical Task Force
• Transportation
• GIS SIG
• End-User
• C4I Working Group
• Object Model Subcommittee
• Quality of Service Working Group
• Liaison Subcommittee
• P&P Subcommittee

Architecture

• Object Management Architecture
• Object Services Architecture Issue 6.0
• Common Facilities Architecture draft 4.0
• various white/green papers on architectural elements

• see pretty picture

Typical Mode of Operation

• SIG --> Task Force
• RFI --> RFPs
• commercial availability requirement (one year from spec adoption)

OMG List of Documents

• Reference: http://www.omg.org/members/tcarcive.htm login: member, pwd: nin

Specifications - Adopted and Planned

Reference: http://www.omg.org/library/schedule/Technology_Adoption.htm

ORB specifications

• adopted
• CORBA 2.0/IIOP Specification PTC/96-08-04
• Reference: http://www.omg.org/corba/corbiiop.htm
• Object Model
• CORBA Overview
• OMG IDL Syntax
• Dynamic Invocation Interface
• Dynamic Skeleton Interface
• Interface Repository
• Basic Object Adapter
• Interoperability Architecture
• General Inter-ORB Protocol
• DCE ESIOP
• C Language Mapping
• IDL to C++ Mapping
• IDL to Smalltalk Mapping
• orbos/96-06-20: Common Secure IIOP
• 95-05-16: IDL to Ada
• orbos/96-10-01: IDL to COBOL Mapping
• in progress
• Java Language Mapping RFP
• orbos/97-02-17: Reverse Java Mapping RFP draft
• orb/96-01-04: Multiple Interfaces and Composition RFP
• orbos/97-02-03: DCE/CORBA Interworking RFP
• orbos/97-03-16: COM/CORBA Part B
• Objects-by-value RFP

OMG CORBAservices

• Reference:
• http://www.omg.org/library/public-doclist.html
• http://www.omg.org/library/corbserv.htm
• adopted/97-02-01: CORBAservices - Title Page
• adopted/97-02-02: CORBAservices - Table of Contents
• adopted/97-02-03: CORBAservices - List of Figures
• adopted/97-02-04: CORBAservices - List of Tables
• adopted/97-02-05: CORBAservices - Preface
• adopted/97-02-06: CORBAservices - Overview
• adopted/97-02-07: CORBAservices - Design Principles
• adopted/97-02-08: CORBAservices - Naming
• adopted/97-02-09: CORBAservices - Event Management
• adopted/97-02-10: CORBAservices - Persistent Object
• adopted/97-02-11: CORBAservices - Lifecycle
• adopted/97-02-12: CORBAservices - Concurrency
• adopted/97-02-13: CORBAservices - Externalization
• adopted/97-02-14: CORBAservices - Relationships
• adopted/97-02-15: CORBAservices - Transactions
• adopted/97-02-16: CORBAservices - Query
• adopted/97-02-17: CORBAservices - Licensing
• adopted/97-02-18: CORBAservices - Property
• adopted/97-02-19: CORBAservices - Appendix A: Property Services IDL
• adopted/97-02-20: CORBAservices - Security Services Part I
• adopted/97-02-21: CORBAservices - Security Services Part II
• adopted/97-02-22: CORBAservices - Time
• adopted/97-02-23: CORBAservices - Index
• tc/96-02-01: CORBA services IDL interfaces
• adopted orbos/96-05-05: Object Collections Service
• adopted orbos/96-05-06: Object Trader Service
• adopted 95-12-06: System Management Facility
• in progress
• Messaging RFP
• orbos/97-01-14: Persistence 2.0 RFP
• roadmap
• GIOP over ATM
• Naming Federation
• Federation of other services
• additional Security RFPs
• Session Management
• Real-time Timing and Protocols
• Scheduling
• Replication Service
• Directory Services
• Versioning
• Filewalls RFP
• Load balancing

CORBAfacilities PTF

• adopted
• 95-12-34: Compound Presentation & Interchange
• in progress
• cf/97-03-11: CORBA Internet Facility RFP (CF RFP8)
• cf/96-05-02: Meta-Object Facility RFP
• Mobile Agents RFP
• Workflow RFP draft
• Rules RFP draft

OMG Internet SIG

• homepage
• RFI response recommendations - influence ORBOS and Common Facilities roadmaps
• working on semantic/object file system (OTAM)
• working on composition and federation of services and facilities

Simulation SIG

• issue is CORBA w simulations on top vs. time-aware CORBA
• strong ties to DMSO High Level Architecture (HLA)
• working on white paper on simulation - analysis simulations, virtual simulations, engineering simulations

Business Objects DTF

• in progress Common Business Objects RFP
• in progress Business Object Facility RFP

Electronic Commerce DTF

• in progress ec/96-11-02: Electronic Payment

Finance

• in progress finance/96-11-01: Currency RFP

OA&D DTF

• in progress OA&D RFP

Manufacturing

• in progress White paper (v 1.0)

Telecom DTF

• in progress Notification RFP
• in progress Topology RFP

CORBAmed

• in progress corbamed/97-01-04: Lexicon Query Services RFP

Hot Topics at current OMG meetings

• boundary between OA&D, MOF, and BOF
• composability of services into facilities, federation
• semantics
• inserting QoS and real-time into OMG specs
• simulation
• Java and OLE

OMG Space, Time, Uncertainty (Tenney asked for status)

• Space
• CORBAgis SIG - reflector for Open GIS Consortium
• IORs and URLs on the horizon but no GISrefs
• (in progress - Telecom topology RFP - extends relationship service to reference non CORBA objects)
• Time
• adopted - Time Service spec - think network clock - Basic Time Service supports absolute current time uses X/Open Universal Time Coordinated, accurate to 10^-7 years and range to 30,000 AD, with error estimate, also supports relative time and secure, trusted time. Timer Event Service couples basic time service and event service.
• adopted - Event Service, in progress - Telecom Notification Service
• Real-time SIG - multiple protocols, flexible bindings (extensibility), fault tolerance, time services, QoS, scheduling and end-to-end predictability
• planned - Versioning Service (for instances, implementations, interfaces?)
• Uncertainty
• no work on uncertainty modeling at OMG

OMG Security (Fabian asked for status)

• References:
• Security White Paper
• 1995/95-06-06: Security Service API Crypto API Recommendation
• adopted/97-02-20: CORBAservices - Security Services Part I
• adopted/97-02-21: CORBAservices - Security Services Part II
• around 300 pages
• security model, permits security unaware and aware apps, provides administrative interfaces, secure ORBs and ORB interoperability, non-repudiation, security of services via interceptors
• adopted orbos/96-06-20: Common Secure IIOP
• SSL for CORBA - provides secure transport, uses RSA or DSS, X.509 V 3 certificates, you gety identity only based authorization with optional SSL authentication, no fine grained control of confidentiality or integrity, no delegation
• security/97-02-07: Firewall RFP draft (see below)
• Henry Rothkopf, NIMA - Security presentation to ORBOS TF (see below)
• Security Services Revision Task Force - clean up oversights in Security spec re credential object, interceptor specification, policy object lifecycle
• Security SIG - working on Common Generic Threat Model (glossary - threat, vulnerability, risk, intensity, countermeasure), liaison to outside OMG, education on use of security spec, and inter-spec consistency with security needs
• OMG Security Specs covers
• modular security services
• discretionary access control
• credentials
• secure IIOP
• interceptors
• OMG Security Spec does not cover
• security of ORBs using different security mechanisms, audit analysis tools, crypto API, security for ORB services,
• firewalls - but see firewalls RFP
• federation of security systems across policy boundaries and interdomain import/export policies
• changing security policies in running systems
• threat models
• generalizations of security to use-conditions (see below)

Conclusion

• DDB can't afford to go it alone - needs open diverse technology base, no one product comes close
• OMG provides a lot but not all technology components (interfaces) needed by DDB
• OMG focus is open middleware, object technology, domain models
• can view OMG as a blueprint or as a suite of technologies
• one stop shopping for industry, government, academia (sort of)
• OMG GIS SIG just getting started, OGC is a more direct hit for the GIS portions of the DDB architecture

For Further Information

• see http://www.omg.org - members only access is login: member, password: nin
• contact Craig - tons of information, specs, minutes, trip reports, …

Security Requirements, Henry Rothkopf, National Imaging and Mapping Agency (NIMA)

(from Minutes of Internet SIG Meeting #10)

Henry described deficiencies of today's security systems and provided handouts on a large (preliminary) study done with a lot of MITRE and other inputs. He pointed out that the DoD realizes that most security issues are generic to industry as well as Government and DoD needs such schemes to be in widespread use, and then wants to be able to add-on GOTS (e.g., Government off the shelf) requirements. Henry advocates coming up with a single threat model for commercial and Government use. There will always be some GOTS requirements but threats for both are similar.
He requested inputs from OMG on the draft report (handout). He stated that today, in the DoD we have some working "system high" systems (enforces need to know) and very few, very expensive multi-level systems, expensive because they require assurance on the development side. But in the next generation, we need more modular security that supports multiple communicating domains with generic security available at several levels in protocol stacks. At a course grain, this includes wrapping whole collection of items with one label like "imaging". At a finer grain level there might be multiple CORBAs talking to each other using access privileges. He indicated that scalability requires that we must communicate policy across domain boundaries. Also we need to be able to change security policies in running systems. We don't know how many such systems we are talking to at any given time. Each domain is mutually suspicious but we must communicate until we are done. This is a big step beyond today's firewalls. It requires an inter-domain import/export policy; a label-based scheme appears doable but depends on additional management that we don't do today. It is also a step away from C1, B2, etc. levels of security aiming at a richer scheme for insuring safeguards in federated systems with mixed security levels.
Q from Craig: This is very different from firewall technology - much more robust (and complex). How will the transition take place. Have firewall vendors been contacted? Response from Pat Mallet: as industry sees the similarities, migration should happen. Response from Neil Wagoner: First step is to develop a combined threat model. Second step is to determine what can be done in the CORBA environment and what cannot.
Q from Craig: What about Virtual Private Networks? How do they relate? Response: VPNs only address some security levels - Virtual Private Networks are lower level and do not transfer information across boundaries.

Firewall RFP, John Sebes, Trusted Information Systems (TIS)

(from Minutes of Internet SIG Meeting #10)

See briefing and draft ORBOS RFP security/97-02-07: CORBA/Firewall Security Request for Proposals, draft
What are issues relative to Internet? Why is the RFP needed?

• Current state of practice is not satisfactory.
• Firewall support for IIOP is inconsistent - no guarantees that any particular firewall implementation of IIOP will work with all others
• Three situations today: complete blocking of IIOP, tunneling with accepted protocol, routing filters

Firewalls requirements

• mandatory
• allow outside access to specifically allowed inside CORBA-based application services, and also prevent access to others
• more bullets
• optional
• greater granularity
• firewall-to-firewall SSL transport of IIOP
• Secure IIOP is implemented with IIOP
• Provide IIOP interaction with selected authenticated outsiders
• What do you do when there are end-to-end privacy requirements?

Feels that this is not a final answer in and of itself. SSL provides edge to edge security - another part of the answer. Secure IIOP allows third party security - based on RSA cryptography.
Java applet communicating from outside the firewall (single firewall) - requirement included in draft RFP?

• Currently optional in draft RFP
• Java issue is orthogonal

Implementing a firewall that works with IIOP is easier than other technologies (e.g., DCE)

• Security still largely TBD
• ORB vendors seem to be making an effort to be firewall friendly
• IIOP is a pretty nice protocol since it was defined for the Internet
• Much can be done with IIOP headers
• When unpacking is necessary, the tools already exist
• Better for information security than any others

Security Architectures for Distributed Enterprise, Bill Johnston, Lawrence Labs

(from DOE 2000 Workshop in conjunction with DARPA IC&V Workshop)

not connected to OMG, just interesting

Interesting talk on security. The use-condition model is more general than security and seems to be useful for any abstraction. That seems to be the value-added. Johnston should come to OMG Security meetings.
Collaboratories physically separate users from machines they use. How can users impose use conditions and security on the machines when they are remote? Slide shows first-generation solutions to future solutions: Physical Protection (safes, guards, and fences) to Blanket Info Security (ACLs, firewalls, authentication, intrusion detection) to Specific Application Security (public key, EBT, EDI, EFT, identity certificates, current Web) to Enterprise Security (public key infrastructure, enterprise functions, electronic commerce, authorization certification). Requirements in financial services and scientific communities are similar (comparisons: electronic notary, authenticating log books). Johnston is working on use-condition centered models. Attribute certificates - do you have your X training? Yes, pull out card indicated class X from authority. Need distributed certificate authority. Responsibility for actions is traced back to individual through unbroken chain of certificates. In their model agents and brokers create contracts. Having to pay for a resources is another attribute. Use-condition is a short-hand for certificates. Access Control Lists (ACL) are a special case. Johnson reviewed public key. Names are handles for public-key. Certificates are secure documents that participate in the security infrastructure. Another element needed is signing mechanisms. Put it all together and you get a Use-Condition Model. Individual (Identity Authority, many attribute authorities (drivers license)) plus resource authorities tied together provide capability. Add to this access control (who grants, where is use-condition, and resource). Finally, described overall architecture. One part is smart shell, another is mini-SQL for looking up security attributes on the web. Using JYLU and IETF GSS. None of this can be exported though they use standards and all software is coming from Australia or Finland.