Previous section.

Common Security: CDSA and CSSM
Copyright © 1997 The Open Group

Overview of Elective Module Managers

To ensure long-lived utility of CDSA and CSSM APIs, the architecture includes several extensibility mechanisms. Elective module managers is a transparent mechanism supporting the dynamic addition of new categories of service. Elective service categories create areas for totally new products. When an elective service category is defined, at least one instance of an add-in module will also be developed to provide that service.

Elective services extend CSSM. They define their own application programming interfaces and service provider interfaces. For example, key recovery can be an elective service. Some applications will use key recovery services (by explicit invocation) and other applications will not use it. Audit logs can be an elective service. Applications wishing to maintain a log can do so, other applications will not use that facility. CSSM's elective module management facilities provide a set of mechanisms that support runtime inclusion of new APIs and their corresponding SPIs. Standardization of the new APIs and SPIs is in addition to the current CDSA standards. The additions can be standardized as an enhancement to CDSA or as an independent standard that is adopted and used within CDSA. The elective module management mechanisms allow CDSA implementations to easily and quickly incorporate these new standards. CSSM does not have a priori knowledge of the elective APIs, but applications have complete knowledge of the new APIs in order to explicitly invoke the services provided through those APIs.

Built-In Policies and Application Exemptions

The elective module manager can define built-in checks for normal controlled functioning of the new security services defined by the module manager. The elective module manager can define categories of exemption corresponding to these checks. Applications request exemption from these checks using the CSSM_RequestCssmExemption function. Exemptions are granted if the requester provides credentials that:

Credentials are said to carry implied authorization if they can be verified based on points of trust specified by the authorizing entity.

An elective module managers can define trust points in addition to CSSM's trust points by including application authentication keys in the module manager's description contained in its signed manifest credentials. CSSM can use these public keys as additional trust points for authenticating applications requesting exemptions. When an exemption has been granted, it is the responsibility of the elective module manager to not enforce the built-in check corresponding to the granted exemption.

To define new categories of exemption, the elective module manager defines a new, unique CSSM_EXEMPTION_MASK flag. This bitmask represents the set of exemptions requested by an application. Applications can change their exemption status multiple times during execution. Each request for exemption requires a separate authentication check .

Transparent, Dynamic Attach

Applications are not explicitly aware of module managers within CSSM. Applications see a uniform set of interface management services provided by CSSM across all types of security service categories. In reality, some of those services are provided by the CSSM core functions (that is, applicable to all service types) and the remainder are provided by each module manager for their respective security service category.

Applications are aware of instances of add-in modules, not the module managers that control access to those modules. Before requesting services from an add-in service provider (via APIs defined by a module manager), the application invokes CSSM_attach to obtain an instance of the add-in service provider. Steps to Attach an Add-In Module and load its EMM shows the sequence of processing steps. If the module is of an elective category of service, then CSSM transparently attaches the module manager for that category of service (if that manager is not currently loaded). The module manager must perform the CSSM-defined bilateral authentication protocol. This protocol is used to ensure CSSM-wide integrity when any component is dynamically added to the CSSM runtime environment. (This protocol is described in more detail in a later section of this specification.) Once the manager is loaded, the APIs defined by that module are available to the application.

The dynamic nature of the elective module manager is transparent to the add-in module also. This is important. It means that an add-in module vendor need not modify their module implementation to work with an elective module manager versus a basic module manager.

There is at most one module manager for each category of service loaded in CSSM at any given time. When an elective module manager is dynamically added to serve an application, that module manager is a peer of all other module managers and can cooperate with other managers as appropriate.

Elective module management defines a set of mechanisms that support runtime inclusion of new APIs and their corresponding SPIs. Standardization of the new APIs and SPIs is in addition to the current CDSA standards. The additions can be standardized as an enhancement to CDSA or as an independent standard that is adopted and used within CDSA. The elective module management mechanisms allow CDSA implementations to easily and quickly incorporate these new standards. CSSM does not have a priori knowledge of the elective APIs, but applications have complete knowledge of the new APIs in order to explicitly invoke the services provided through those APIs. The elective module manager is responsible for checking instance compatibility with the CSSM that loaded the manager. Compatibility can be based on a combination of the CSSM's GUID, CSSM's Interface GUID, and CSSM's major and minor version number. CSSM APIs can be invoked to obtain these values. These values also represent the instance level of the basic module managers that are always present in the CSSM. In rare cases, elective module managers may have dependencies on each other. In this case compatibility between elective module managers is the responsibility of the elective module managers. These checks must be performed in a manner that does not depend on the order in which the caller attaches depend services that are supported by elective module managers. Compatibility checks among dependent, elective module managers can be checked using the event notification interface for communication among module managers. When an attached application detaches from an add-in service module, CSSM will also unload the associated module manager if it is not in use by another thread, process, or application.

Figure: Steps to Attach an Add-In Module and load its EMM

Registering Module Managers

Module managers are installed and registered with CSSM in a similar manner to add-in modules. CSSM records module manager information in the CSSM registry. This information can be queried, but typically only system administration applications will use registry information about module managers. For example, a smart installer for an add-in module may confirm that the corresponding module manager is also installed on the local system. If not, then the installer can install the required module manager with the add-in module. This does not effect the implementation of the add-in module itself, just the install program for that add-in module.

State Sharing Among Module Managers

Module managers may be required to share state information in order to correctly perform their services.

When two or more module managers share state, each manager must be able to:

The other module managers must be able to:

When module managers share state information they must implement conditional logic to interact with each other. Two module managers can share state information by several different mechanisms:

The first two mechanisms depend on platform services outside of CDSA. Module managers that share state information can use all of these mechanisms.

CSSM-supported event notifications require that all module managers implement and register with CSSM an event notification entry point. Module managers issue notifications by invoking a CSSM function, specifying:

CSSM delivers the notification to the destination module manager by invoking the manager's notification entry point.

Typical event types include:

Module managers that share state information are not required to use the CSSM event notification mechanism. These types of events, requests, and notifications can be shared using the other platform dependent mechanisms. CSSM provides this simple mechanism specifically for situations where other platform services are not readily available.


Why not acquire a nicely bound hard copy?
Click here to return to the publication details or order a copy of this publication.
You should also read the legal notice explaining the terms and conditions relating to the CDSA documentation.

Contents Next section Index