The invention applies particularly well to network management systems, in particular telecommunications network management systems. This particular application is described in greater detail below, but the invention also has other applications, for example e-business applications.
Telecommunications network management systems conventionally include a set of management software applications. These applications can be distributed within a distributed system and may need to communicate with one another to exchange data.
It may be necessary for such communication to be secure. Depending on the threat and on the sensitivity of the data transmitted, various security services can be employed, for example:                Identification and authentication: this technique assures the receiver of a message that the source is authentic. This guarantees that there are no messages in the system sent by an ill-intentioned third party.        Access control: an application responds to commands contained in messages only in accordance with rules defined in a security policy. For example, an application can communicate only with a particular set of other applications.        Non-repudiation: some of the data in the messages exchanged is stored so that neither party can deny having participated in the communication.        Confidentiality: messages are encrypted so that third parties are unable to interpret the contents.        
The above services, and others not referred to, are typically provided by dedicated software applications referred to as security servers. There can be more than one security server, each providing one or more security services. Likewise, each security service can be provided with different levels of quality.
FIG. 1 shows a prior art architecture that has been used in this field. An application A1 requires secure communication with an application A2. To this end it can use a security server S1 which provides low-level cryptographic support or a security server S2 which provides a high-level cryptography service.
If the application A1 uses the server S1, it initially sends a request-for-service message m1 to the server S1. The server S1 returns a key in a response message m2. The application A1 can then send its message m3 to the application A2 after encrypting it using the key.
If the application A1 uses the security server S2; it passes to the security server S2 a message m′1 to be transmitted. The server S2 is responsible for implementing the cryptographic techniques and sends the encrypted message m′2 to the application A2.
The above two examples show that different levels of service can be available for the same security service. Similarly, for the same service and the same level of service, there can be different negotiation protocols between the initiating application (A1) and the security server. This applies to negotiating the encryption key in the case of a cryptographic service, for example. Examples of such protocols include the Diffie-Hellman and Needham-Schröder methods. These methods are described in “Practical Intranet Security” by Paul Ashley and Mark Vandenwauver, published in 1999 by Kluwer Academic Publishers, for example.
To summarize, an application requiring secure communication with another application must be able to use different negotiation protocols according to the service and the level of service it requires.
This also implies that if it is required to replace a security server corresponding to a given service and a given level of service with another server offering a higher quality of service, for example, but using a different negotiation protocol, the applications will have to be modified if they are not equipped for the new protocol from the outset.
What is more, the communications resources to be used to reach each security server can be different. For example, each application must be able to manage direct access, access via a software bus such as the CORBA (Common Object Request Broker Architecture) of the OMG (Open Management Group) or Microsoft's DCOM (Distributed Common Object Management) or access via-a network.