VPN Security
Communication in a hybrid cloud environment happens over the Internet. The VPN secure connection link that is created between the cloud and the enterprise infrastructure provides a secure pathway for information and data to flow between the two. Again, we used OpenVPN to provide a secure communication channel. OpenVPN uses OpenSSH-based security for encrypted communication. It is connected in an SSL/TLS mode with some optional configurations.
Table 1 lists the configuration options.
The certificates client.crt and ca.crt and the key client.key is generated and propagated to the client machine. The server machine contains the certificates ca.crt, server.crt and the key server.key. When creating an authorized tunnel between the client and server the validity of these are corroborated and only clients with valid certificates are allowed to communicate with the server.
Results
The composite application we've described here has been deployed on a hybrid infrastructure comprising of Eucalyptus Open Cloud as the cloud infrastructure, and a local physical machine which runs within the enterprise infrastructure.
Domain 1 is hosted on an Apache Tuscany runtime deployed on an instance (Virtual Operating System platform hosted on the IaaS cloud infrastructure). OpenVPN is used to create a secure tunnel between the instance and the local machine present inside the enterprise infrastructure. This creates a secure gateway in which the Cloud instance is accessible by the local machine on the IP 10.8.0.6. The web service that is hosted on the cloud instance uses this secure IP to host itself, and thus it is not visible or accessible to a third party. Having thus established a secure gateway the hybrid application can be tested for integration between the component hosted on the Cloud Domain and component hosted on the Enterprise Domain. Figure 5 shows Domain 1 running on an Apache Tuscany. This Tuscany runtime is hosted on a Centos 5.2 instance running on the Eucalyptus Cloud Infrastructure.
Figure 6 shows Domain 2 running on Apache Tuscany. This Tuscany runtime is hosted on a physical machine running from within the Enterprise Infrastructure. This Domain consists of a single Component from which three methods are called. This component references the web service hosted on Domain 1, on the cloud. The method calls are successfully able to retrieve necessary information from this remote service and display the data accordingly.
Conclusion
This project illustrates that distributed applications comprising of composite modules (distributed across the cloud and Enterprise Infrastructure) can be integrated and made to function as a single unit using Service Component Architecture (SCA) without compromising on security.
References
Introducing SCA, by David Chappel.
