In implementing secure communications between components in large online service systems (e.g., online backup systems, online reporting systems, etc.), trust needs to be established between components running in different domains or otherwise under the security jurisdiction of different servers. The secure communication layer in online service systems is often implemented using X.509 certificates, which must be signed by a Certificate Authority (CA). Trusting a CA allows a component to trust the various certificates signed by that CA, and by extension to trust other components with such signed certificates. Secure communication can occur when each component participating in the communication trusts the CA that signed the certificate of each other component.
One example of a large online service system is Veritas NetBackup (NetBackup), published by Symantec Corp. NetBackup is an enterprise level heterogeneous backup and recovery system, which provides cross-platform backup functionality across a large variety of operating systems. Each NetBackup domain is configured with a central master server which manages both Media Servers (containing the backup media) and clients. NetBackup currently recommends establishing and propagating trust relationships between components by utilizing a single, top-level CA (i.e., a Public Key Infrastructure (PKI) system) called the Root Broker (RB). Under the RB, each master server has its own CA, called an Authentication Broker (AB), whose certificate is signed by the RB. The AB then signs certificates for each component in the master server's domain. This allows for cross-domain communication to occur, which happens when a single client interacts with multiple master servers.
One common problem with this setup is that it requires a significant amount of upfront planning in order for the secure communication to work properly. It is difficult to do this planning when security infrastructure is disjoint from the application (e.g., backup) infrastructure. Without additional up-front planning for security infrastructure, an RB is typically installed alongside each master server. If the system architecture is not designed for secure communication from the beginning, an existing RB running on a master server may need to be converted to an AB underneath another master server's RB. This then requires that customers visit each system in the first master server's domain to re-establish X.509 certificates that are signed by the new AB's certificate (underneath the AB's new RB). Another possibility is for the components that perform cross-domain communication to establish trust in each other's RBs. This, again, requires visiting each system in turn that is to participate in such cross-domain communication.
Unfortunately, the above two methods for supporting cross-domain communication are rarely used in practice. This is because they require significant up-front planning, and are difficult for customers to deploy as the primary domain they are working in is that of the service (e.g., backup), not security. This problem interferes with the deployment of proper security features within a single online service system such as NetBackup. The problem is exacerbated when attempting to enable multiple, multi-domain products to communicate with one another, thereby hampering product integration.
It would be desirable to address these issues.