How to Manage Trust between PEP and PDP

心已入冬 提交于 2020-01-03 17:10:12

问题


I am working with distributed scenario in which I have multiple instances of PEP and PDP , in such a scenario how PDP will validate that XACML request is coming from my trusted PEP.


回答1:


There are can be different ways to trust the PEP. It is not clearly mentioned in the spec. But it is mentioned that you must use SSL and authentication mechanism (such as Basic/Digest authentication). Also there is a SAML-XACML profile that talks about PEP-PDP communication. But I guess, following two simple ways can be used.

  1. Basic authentication with SSL. Each PEP is given with user/password. When PEP sends a XACML request, User/Pass must be sent within Basic auth headers. PDPs can verify the user/pass by processing Basic Auth headers. All PDPs can be connected with same credential store.

  2. Mutual SSL. (two-way SSL). You can implement the PDP to support for mutual SSL. Then PEP must create a SSL session by exchanging certificates. PEP must have a its own certificate (private, public key pair). To trust PEP's certificated by the PDP, they must be in the PDP's trust store.(or less signed by a trusted CA) Then PDP can trust the certificate of the PEP.



来源:https://stackoverflow.com/questions/21479622/how-to-manage-trust-between-pep-and-pdp

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!