Previous | Table of Contents | Next |
Level 0 defines the base level of secure interoperability that all implementations are required to support. Level 0 requires
support for SSL/TLS protected connections. Level 0 implementations are also required to support username/password client authentication
and identity assertion by using the service context protocol defined in this specification.
24.6.1.1 Transport-Layer Requirements
Implementations shall support the Security Attribute Service (SAS) protocol within the service context lists of GIOP request
and reply messages exchanged over SSL 3.0 and TLS 1.0 protected connections.
Implementations shall also support the SAS protocol within the service context lists of GIOP request and reply messages over
unprotected transports defined within IIOP.12
12.SAS protocol elements should only be sent over unprotected transports within trusted environments.
Required Ciphersuites
Conforming implementations are required to support both SSL 3.0 and TLS 1.0 and
the mandatory TLS 1.0 ciphersuites identified in [IETF RFC 2246]. Conforming
implementations are also required to support the SSL 3.0 ciphersuites corresponding to the mandatory TLS 1.0 ciphersuites.
An additional set of recommended ciphersuites is identified in Section 24.4.2.1,
“Recommended SSL/TLS Ciphersuites,? on page 24-31.
24.6.1.2 Service Context Protocol Requirements
All implementations shall support the Security Attribute Service (SAS) context element protocol in the manner described in
the following sections.
Stateless Mode
All implementations shall support the stateless CSS and stateless TSS modes of
operation as defined in Section 24.3.2, “Session Semantics,? on page 24-21, and in the
protocol message definitions appearing in Section 24.2.2, “SAS context_data Message
Body Types,? on page 24-5.
Client Authentication Tokens and Mechanisms
All implementations shall support the username password (GSSUP) mechanism for
client authentication as defined in Section 24.2.4.1, “Username Password GSS
Mechanism (GSSUP),? on page 24-12.
Identity Tokens and Identity Assertion
All implementations shall support the identity assertion functionality defined in
Section 24.3.1.1, “Context Validation,? on page 24-17 and the identity token formats
and functionality defined in Section 24.2.5, “Identity Token Format,? on page 24-14.
All implementations shall support GSSUP mechanism specific identity tokens of type ITTPrincipalName.
Authorization Tokens (not required)
At this level of conformance, implementations are not required to be capable of including an authorization token in the SAS
protocol elements they send or of interpreting such tokens if they are included in received SAS protocol elements.
The format of authorization tokens is defined in Section 24.2.3, “Authorization Token
Format,? on page 24-10.
24.6.1.3 Interoperable Object References (IORs)
The security mechanism configuration of CSIv2 target objects, shall be as defined in
Section 24.5.1, “Target Security Configuration,? on page 24-32, with the exception that
Level 0 implementations are not required to support the DelegationByClient
functionality described in Section 24.5.1.1, “AssociationOptions Type,? on page 24-33.