[PDF] - CA system and CyberScience Infrastructure Shinji Shimojo PDF Document

SLIDE 1

1

CA system and CyberScience Infrastructure

Shinji Shimojo Cybermedia Center Osaka University

Cybermedia Center Cybermedia Center Cybermedia Center

IT Center for Osaka University IT Center for Osaka University

Management of Information Networks support operation of ODINS, the campus-wide network introduce new network technologies Management of Information Networks support operation of ODINS, the campus-wide network introduce new network technologies Multimedia-based Science Education from computer literacy to advanced computer use and faculty development close linking between computer-related science and natural science methodology Multimedia-based Science Education from computer literacy to advanced computer use and faculty development close linking between computer-related science and natural science methodology Distance Learning in Multimedia Classrooms support planning and

peration of SCS distance

learning promote distance learning on networks multimedia-based distance learning system Distance Learning in Multimedia Classrooms support planning and

peration of SCS distance

learning promote distance learning on networks multimedia-based distance learning system Internationalization and language education foreign language education based on multimedia technologies developments of multimedia- based teaching materials Internationalization and language education foreign language education based on multimedia technologies developments of multimedia- based teaching materials Electronic library digitalization of precious contents management of various databases sophisticated processing of multimedia contents Electronic library digitalization of precious contents management of various databases sophisticated processing of multimedia contents Supercomputing computing services for supercomputer a new computing paradigm using computers science simulation using supercomputers Supercomputing computing services for supercomputer a new computing paradigm using computers science simulation using supercomputers Information Media Education Support computer literacy computer-based information explorer creating multimedia contents for classes Information Media Education Support computer literacy computer-based information explorer creating multimedia contents for classes

Briefing of the Supercomputing System Lecture at SCS (Space Collaboration System)/VSAT (Very Small Aperture Terminal) Osaka Station

Supercomputer NEC SX-5

Education Lab using Computer System Lecture with CALL (Computer Assisted Language Learning)

File Server Auspex NS7000/725 Disk: 806GB DLT Exuippment for Backup: 2400GB Computatuin Server HP Exempler V2200/N Multinode System (3 Node) CPU: PA8200x68 Main Memory: 36GB DB/Web Server NEC NX7000/260 CPU PA8000 Main Memory: 256MB Disk: 88GB

SLIDE 2

2

Publication of scientific results from academina

Human Resource Development and strong organization Deployment of Grid middleware as a glue

Virtual Organization For science

CyberScience CyberScience Infrastructure for Advanced Science (by NII) Infrastructure for Advanced Science (by NII)

For Competitiveness in Global World

Development of Authentication System for Academia

★ ★ ★ ★ ★ ★ ★ ☆

Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers

CyberScience Infrastructure

北海道大学東北大学東京大学ＮＩＩ名古屋大学京都大学大阪大学九州大学

（東京工業大学、早稲田大学、高エネルギー加速器研究機構等）

Scientific Repository

Industry Liaison and Social Benefit Global Contribution

MEG：産総研（池田）高精細CT： SPring-8 UHVEM：超高圧電子顕微鏡センター

Why we need CyberScience Infrastructure (CSI) in Cybercampus

Securely and safely sharing infrastructure

– Ex. Grid provides heterogeneous large scale computational environment – Ex. Large observation device should be shared.

Securely and safely sharing information

– Ex. Sharing medical record for research and diagnosis

International and National Collaboration is a key to science

SLIDE 3

3

K y u s y u U n i v . C

m

p u t i n g a n d C

m

m u n i c a t i

n

s C e n t e r K y

t
U

n i v . A c a d e m i c C e n t e r f

r

C

m

p u t i n g a n d M e d i a S t u d i e s O s a k a U n i v . C y b e r m e d i a C e n t e r T

h
k

u U n i v . I n f

r

m a t i

n

S y n e r g y C e n t e r H

k

k a i d

U

n i v . I n f

r

m a t i

n

I n i t i a t i v e C e n t e r

U n i v . A U n i v . B W i r e l e s s L A N a n d i n f

r

m a t i

n

w a l l s

c

k e t r

a

m i n g s e r v i c e F e d e r a t i

n
f

d e v i c e b a s e a u t h e n t i c a t i

n

i n f r a s t r u c t u r e W e b a n d e

l

e a r n i n g c

n

t e n t s s h a r i n g a n d s t u d e n t s ' c r e d i t t r a n s f e r s e r v i c e

T

k

y

U

n i v . I n f

r

m a t i

n

T e c h n

l
g

y C e n t e r N a g

y

a U n i v . I n f

r

m a t i

n

T e c h n

l
g

y C e n t e r

C

m

p u t i n g c e n t e r f e d e r a t i

n

u s i n g G r i d T e c h n

l
g

i e s

S e c u r e a n d d e p e n d a b l e f e d e r a t i

n

i n f r a s t r u c t u r e

N a t i

n

a l I n s t i t u t e

f

I n f

r

m a t i c s

P K I b a s e a u t h e n t i c a t i

n

i n f r a s t r u c t u r e m u s t b e d e p l

y

e d t

r

e p l a c e p a s s w

r

d b a s e a u t h e n t i c a t i

n

i n f r a s t r u c t u r e

Requirements for authorization/authentication mechanism

Information Systems are exist everywhere.
Password based authorization is no longer

safe.

People are moving around.
Inter-organizational, institutional and

university collaboration is necessary for future science.

Intra-domain solution is not enough.

SLIDE 4

4

Elements of CSI

PKI for Global Identity
PMA for coodinated Trusted Domain
Identity Mapping
Single Sign On
Grid/Web Service Middleware
Grid(OGSA)/Web Serviced Application

Related Members

7 Computing Centers in Japan

– Hokkaido Univ. , Tohoku Univ. , Tokyo Univ. , Nagoya Univ. ,Kyoto

Univ. , Osaka Univ. , Kyusyu Univ.
Cooperative activities

– Authentication Workshop Considering Campus-Wide authentication infrastructure – Grid Computing Workshop Considering computing service federation among Computing Centers

NAREGI PKI WG

– Supports activities of 7 Computing Centers from technical aspects

SLIDE 5

5

Nat ional Research Grid I nit iat ive (NAREGI ) Proj ect :Overview

A new J apanese MEXT Nat ional Grid R&D proj ect

~$(US)17M FY’03 (similar unt il FY’07)

One of t wo maj or J apanese Govt . Grid Proj ect s
Collaborat ion of Nat ional Labs. Univer sit ies and

Maj or Comput ing and Nanot echnology I ndust ries

Acquisit ion of Comput er Resources is done

(FY2003)

5TFlops, 700GB f or development
10TFlobs, 5TB f or applicat ion

MEXT:Ministry of Education, Culture, Sports, Science and Technology

WP-1: Nat ional-Scale Grid Resource Management :

Mat suoka (Tit ech), Kohno(ECU), Aida (Tit ech)

WP-2: Grid Programming:

Sekiguchi(AI ST), I shikawa(AI ST)

WP-3: User-Level Grid Tools & PSE:

Miura (NI I ), Sat o (Tsukuba-u), Kawat a (Ut sunomiya-u)

WP-4: Packaging and Conf igurat ion Management :

Miura (NI I )

WP-5: Net working, Nat ional-Scale Securit y & User

Management Shimoj o, I mase (Osaka-u), Oie ( Kyushu Tech.)

WP-6: Grid-Enabling Nanoscience Applicat ions :

Aoyagi (Kyushu-u)

NAREGI Work Packages

SLIDE 6

6

Grid Application Layer Grid Middleware Layer

NAREGI Work Packages

SuperSINET Computing Resources

NII IMS Research Organizations Other Academic Institutes

W P 6 W P 2 W P 4 （ G l

b

u s , C

n

d

r

, U N I C O R E O G S A ) W P 5 P a c k a g i n g G r i d P r

g

r a m m i n g

G

r i d R P C

G

r i d M P I G r i d

E

n a b l e d A p p l i c a t i

n

s W P 1 H i g h

P

e r f

r

m a n c e & S e c u r e G r i d N e t w

r

k i n g W P 3 G r i d P S E G r i d W

r

k f l

w

G r i d V i s u a l i z a t i

n

W P 1 G r i d V M S u p e r S c h e d u l e r G r i d D i s t r i b u t e d I n f

r

m a t i

n

S e r v i c e s

Secure Grid (PKI) Infrastructure Group Communication Protocol Infrastructure Group Network Function Infrastructure Group (Measurement, Management and Control)

Overview of Research and Development

SuperSINET SuperSINET Grid Concept “A Grid is a collection of distributed computing resources

ver network that appear to an user or an application

as one large virtual computing system”

Our Research Our Research Group Group

High speed Managed Network

SLIDE 7

7

Research Plan of Secure Grid Infrastructure

Development and Operation of authentication service for UNICORE and Globus Development of certification authority (CA) ,registration authority (RA) and authentication policy based on the basic assurance level defined by GGF Research & Development of authentication mechanism across policy domains to be proposed to GGF Develop a security model for Grid based on PKI and realize authentication across organizations and VO management

A Security Model of Grid communication platform

User Proxy

Resource Process Resource

NAREGI Auth. Policy Domain Other Auth. Policy Domains

User Create JOB Request JOB Request Create Delegate Collaboration Validate Cert CSR CA RA CA RA Validate Process Create

SLIDE 8

8

Software Stack of NAREGI-CA

NAS(NAREGI AUTHENTICATION SERVICE) NW Infrastructure AICA （ existing Certificate Authority Free Software） LCMP RA: Registration Functions CP/CPS

Auth. Policy （

single domain)

Auth. Policy Extension

(multi-domains) Command User Interface Web User Interface Web Service Interface ＸＫＭＳ VO management cooperation functions Development in FY 2004(v1.1) Development in FY 2005(v2.0) Development in FY 2003(v1.0) Audit PMA

NAREGI-CA Features

Compliance with the basic security level of GGF

– Independent Registration Authority (RA) Server – Practical CP/CPS Template

License ID management

– Transfer authentication responsibility to Local RA

Dual interfaces for certificate request

– Web & command line enrollment

Grid operation extensions

– Batch issue of certificates by command lines – Assistance of Grid-mapfile & UUDB creation

Future extensions

– Cooperation of CA’s by linking policy domains – ID federation between sites – VO Management

SLIDE 9

9

Virtual Organization

user 1 (VO Manager) service_c service_a

Services and Users are exposed in a Virtual Organization

Organization A

service_c service_b service_a user 2 user 3 user 1

Contract A

service_x service_y user p service_z service_x service_y user p user q user r

Organization B

Contract B

PKI domain VO domain

Virtual Organization and Security Domain

Definition of VO on GGF ・ CAS (Community Authorization Service) ・ VOMS (Virtual Organization Membership Service) A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains. 峰尾＠PKI.NEC

NAREGI-CA Architecture

RA

(Registration Authority)

CA

(Certificate Authority)

Local RA

(Site Administrator)

End User &Host Administrator Site Administrator ①Get License ID ②Authorize to pass License ID ④Pass License ID & Public Key ⑦Get Certificate ⑤Send CSR ⑥Issue Certificate ③Generate a Key Pair ⑧Get Grid Map file

r UUDB data

SLIDE 10

10

NAREGI NAREGI-

CA Registration Sequence

CA Registration Sequence

End user Host administrator Site Administrator CA Administrator LicenseIDs Request Issue LicenseIDs

1. Prepare LicenseIDs

Certificate Request Issue a LicenseID

2. User registration

Apply certificate

peration
3. Submit a licenseID and

request to issue a certificate

4. Request to revoke a certificate
5. Request to update a certificate

Accept a user request (issue,revoke,update) Download a base grid-mapfile and generate mapfile for local site base grid-mapfile publish

6. grid-mapfile generation

NAREGI site User site

Account Request Account Registration RA Server Might be face to face. Telephon, Mail and so on. Via command line or WEB (Online)

XKMS Interface in NAREGI-CA v2.0

Certificate Issue basic Interface – Application

XKRSS Registration
XKRSS Request Authentication

– Issue Management

XKRSS Revocation

Certificate Information Services Basic Interface – Certificate Retrieval

XKISS Locate

– Signature Verification

XKISS Validate

SLIDE 11

11

NAREGI NAREGI-

CA Distribution

CA Distribution

Free Software according to the NAREGI intellectual

Free Software according to the NAREGI intellectual property management rules property management rules

Distribution records of the current version 1.0

Distribution records of the current version 1.0 – – 61 at GGF, SC2004, etc. 61 at GGF, SC2004, etc.

Research collaboration

Research collaboration – – Audit of CA :AIST, Japan Audit of CA :AIST, Japan – – PMA for international cooperation :APGRID PMA for international cooperation :APGRID

Future plan

Future plan – – Distribution in Rocks Roll by SDSC, USA Distribution in Rocks Roll by SDSC, USA

Future Plan based on the OGSA Framework

Physical Environment Infrastructure Services WSRF Web Services Execution Manage- ment Services Data Services Resource Manage- ment Services Security Services Self- Manage- ment Services Inform- ation Services User Domain Applications

The Open Grid Services Architecture, Version 1.0

SLIDE 12

12

Functional Capabilities

Privacy Services Authorization Services Trust Services Attribute Services Audit/Source- Logging Services Credential Validation Services Bridge/ Translation Services Authentication NAREGI-CA Identity Mapping Credential Conversion VO Policy

The Open Grid Services Architecture, Version 1.0

Hypothetical OGSA version 2.0 documents schedule Security Services :WG draft publication GGF17(’06/6) User CA/RA OCSP Responder in the future MyProxy+VOMS GRAM Proxy Cert + VO User Cert CRL Grid Job Submission Account creation Gridmap file Policy file Grid site

VOMS-type VO Management

DN,VO, Group, roll, capability DN > pseudo acc Grid VM Super Scheduler NAREGI Middleware beta version, FY2005

SLIDE 13

13

MyProxy User CA/RA Web Server VO Management Policy Enforcement Point Authentication &Authorization Service Proxy Cert

f User

User Cert SAML+XACML CRL Log in Grid Job Submission Policy Decision Point Policy Information Point OCSP/ XKMS LDAP

AuthN&AuthZ Services in the future

Super Scheduler GRAM (Grid VM)

Toward OGSA Security Services

Core Functional Capabilities

– Authentication

NAREGI-CA

– Identity Mapping

ID Federation

– Credential Conversion

UNICORE-Globus Cooperation

– VO Management

OGSA Security Services (T.B.D.)

– Credential Validation Services – Trust Services – Attribute Services – Bridge/Translation Services – Authorization Services – Audit/Source-Logging Services – Privacy Services

SLIDE 14

14

OGSA Security Services

Credential Validation Services Trust Services Authorization Services Attribute Services WS-Stub Requestor Application Privacy Services Authorization Services Trust Services Attribute Services Audit/Source- Logging Services Credential Validation Services WS-Stub Service Provider Application Privacy Services Authorization Services Trust Services Attribute Services Audit/Source- Logging Services Credential Validation Services Bridge/ Translation Services Secure Conversation VO Domain Requestor’s Domain Service Provider’s Domain

The Open Grid Services Architecture, Version 1.0

Road to Cyber Science Infrastructure

3-4 year plan
Define Two security domain

– Equivalent to commercial level domain – Grid/PMA (Policy Management Authority) level domain

Set up national PKI and its operation team
Build international trust for globus

cyberinfrastructure

SLIDE 15

15

Summary

We need cyberscience infrastructure (CSI)

for future collaborative science and education.

We believe PKI provides secure

infrastructure for CSI.

International collaborative effort is

necessary to build global CSI.

Professional collaboration for science and