This document is intended to provide background and a general understanding of the middleware initiative at the University of Maryland. It is understood that the term middleware means many things to different people. All of these definitions have merit, thus it is important to establish the context for the definition in use at the moment.

For our purposes, we will use the following general definition:

Middleware: A set of services designed to provide a comprehensive framework for network based applications to do enterprise based authorization, authentication, and security.

In years past, before the network was so integral to our daily activities, individuals worked on a mainframe or, more recently, their desktop. Exchange of files and information was done on an ad hoc basis. Online directories of people were not needed, the central system or server was responsible for authentication and authorization exclusive to that server. Security was a non-issue for most.

Today, the network is becoming the IT environment within which people work. Exchange of information is commonplace. In a normal day, it is expected that an individual may need to access two, three, five or more different resources or systems. As this is likely to become more commonplace, it is reasonable to consider a common set of mechanisms for managing access to those resources. This is one of the major functions intended to be fulfilled by the middleware initiative.

Four basic services delivered by middlewareare:

• Directory
• Identity Management
• Authentication
• Authorization
• Security

Each of these are discussed briefly here with references to more detailed discussions elsewhere.

Directory Services

The core piece of the middleware initiative is the directory. The directory contains certain information about the members of the university community, which may be used for authentication, authorization, and security purposes. In addition, the directory contains information that can be used for information discovery about the members of the community (e.g. email addresses, phone numbers, etc.).

A well designed directory must have the following characteristics to be effective:

• accessible via standard network protocols
• contain a consistent set of information for each member of the supported population
• be available at all times (100% up time)
• be secure
• have very fast response

The directory being implemented at the University of Maryland uses LDAP (Lightweight Directory Access Protocol) and is commonly referred to as the University Directory. The directory implementation is described in greater detail at http://www.oit.umd.edu/middleware/directory/.

Identity Management/Unique ID

As part of the middleware effort, we are working to develop a system where a single, unique userid can be established for each individual in the campus community. This is part of a larger plan toward establishing a single sign-on environment. The idea is that as individuals are granted access rights to a system or application, that the administrator for that system would first check for the uniqueid for the person to whom the new access was being granted. Thus, one person would not end up with multiple userids. For more information, visit http://www.oit.umd.edu/middleware/uniqueid.html.

Authentication Services

One of the characteristics of a comprehensive directory is that it can be used to provide id/password acceptance services. There are hundreds or thousands of disparate servers and applications that require a login to use. As a result, it is not uncommon for an individual to have a dozen or more different userid's and passwords to remember. The directory can be used as a common resource to reduce the number of different userids for an individual as well as verify a userid/password pair.

Additional details on how a system or application might use the authentication services of the directory are available at http://www.oit.umd.edu/middleware/authn.html.

Authorization Services

In addition to a userid and password, the directory contains other information about the people at the university. As a direct result, it is possible to use some of this information to make decisions about whether or not a certain individual can access a particular system or application. For example, a college or department could establish a web site that only admits members of the staff for that college or department. Or only admits those with a particular title.

A number of attributes are included for each directory entry which provide a broad range of information that may be used to characterize each individual. In some cases it may be appropriate to add additional attributes for a given application. In these cases, a review would be necessary to determine the whether the new attribute was appropriate for use in the directory.

For more information about using the directory for authorization services, see http://www.oit.umd.edu/middleware/authz.html.

Security

Security, in this context, refers to the protection and safe management of information and data. In today's world, a great deal of our daily activity involves the Internet. The Internet is operated by numerous separate organizations, each of which has their own policies and controls. Any security strategy must assume that the Internet is inherently not trusted. As such, any security strategy must be able to establish trust relationships in the face of an untrusted transport medium.

There are several things delivered by a good security system, these include:

• document privacy - a way to keep document from being read by inappropriate people
• document integrity - a way to insure a document is not modified from an earlier state
• signature - a way to electronically sign a document or verify legitimacy
• non-repudiation - a way to prevent someone from denying they initiated a particular transaction

An approach to addressing these issues that also works in the untrusted Internet environment is something called a public key system. The delivery of a public key system to an enterprise is commonly called a Public Key Infrastructure (PKI). As part of the middleware effort, a PKI will be established for the university. For more information on PKI, including the plans for the university, visit http://www.oit.umd.edu/middleware/pki.

For background and additional information about what others are doing in Higher Education in the middleware area, visit the Internet 2 Middleware pages at http://www.internet2.org/middleware/.

For more information on the Middleware Initiative activities at the University, feel free to contact David Henry.