Frascati, 2-3 July 2008 Slide 1 User Management compliance testing for G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Andrew Woolf, STFC Rutherford.

Slides:

Advertisements

Similar presentations

ESA Data Integration Application Open Grid Services for Earth Observation Luigi Fusco, Pedro Gonçalves.

Advertisements

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,

Plateforme de Calcul pour les Sciences du Vivant SRB & gLite V. Breton.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Active Security Infrastructure Stuart Kenny Trinity College Dublin.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

Long Term Ecological Research Network Information System LTER Grid Pilot Study LTER Information Manager’s Meeting Montreal, Canada 4-7 August 2005 Mark.

KNMI Applications on Testbed 1 …and other activities.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

London e-Science Centre Imperial College London Making the Grid Pay Economic Services - Pricing and Payment William Lee.

Grid-enabling OGC Web Services Andrew Woolf, Arif Shaon STFC e-Science Centre Rutherford Appleton Lab.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Ames Research CenterDivision 1 Information Power Grid (IPG) Overview Anthony Lisotta Computer Sciences Corporation NASA Ames May 2,

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK

Open Grid Services for Earth Observation Pedro Gonçalves.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI UMD Roadmap Steven Newhouse 14/09/2010.

HMA Sep 2009 – Slide 1 Daniele Marchionni Elsag Datamat HMA Follow On – Task 4 - Workplan.

Frascati, 2-3 July 2008 Slide 1 CITE tests for and HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Nicolas LESAGE, IGN.

Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 AR Meeting 15 July 2009 S. Gianfranceschi, Intecs.

Hoeilaart, 19 February 2009 Slide 1 CITE tests for and HMA-T Phase 2 Progress Meeting 19 February 2009, Hoeilaart Nicolas Lesage, IGN.

Frascati, 2-3 July 2008 Slide 1 HMA User Management in G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Fabrice Brito, Terradue Srl

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.

HMA-T Phase 2 KO, 2-3 July 2008 Slide 1 HMA-Testbed Phase 2 Negotiation and KO Meeting 2-3 July 2008, Frascati Yves Coene, SPACEBEL.

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.

Frascati, December 2009 Slide 1 Identity Management in ESA Grid on-Demand Infrastructure HMA-T Final Presentation 14 December 2009, Frascati Fabrice.

ESRIN, 15 July 2009 Slide 1 Web Service Security support in the SSE Toolbox HMA-T Phase 2 FP 14 December 2009 S. Gianfranceschi, Intecs.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

HMA-T User Management (07-118) Abstract Test Suite Dr Andrew Woolf STFC Rutherford Appleton Lab.

Bob Jones EGEE Technical Director

HMA Identity Management Status

HMA AWG Configuration Management Status 1 December 2008

StoRM: a SRM solution for disk based storage systems

EO Applications Parallel Session

Security Requirements for ChinaGrid Applications - What the current grid security solutions cannot do Hai Jin Huazhong University of Science and Technology.

HMA Identity Management Status

HellasGrid CA & euGridPMA

EMI Interoperability Activities

Short update on the latest gLite status

Identity Management in ESA Grid on-Demand Infrastructure

Interoperability & Standards

ESA Single Sign On (SSO) and Federated Identity Management

Enhancing Web Application Security with Secure Hardware Tokens

NAAS 2.0 Features and Enhancements

Leigh Grundhoefer Indiana University

HMA-FO Task 1 Workplan HMA AWG 30th of September 2009 Darmstadt OGC TC

HMA-Testbed Phase 2 AR-2 Meeting July 2009, Frascati

Web Service Security support in the SSE Toolbox

Implementing Production Grids

HMA Follow-on Kickoff Meeting

OGC and activities HMA-T Phase 2 KO Meeting

Grid Systems: What do we need from web service standards?

gLite The EGEE Middleware Distribution

Web Service Security support in the SSE Toolbox

Grid Computing Software Interface

CNR-IMAA Proposal ( and )

Information Services Claudio Cherubino INFN Catania Bologna

Presentation transcript:

Frascati, 2-3 July 2008 Slide 1 User Management compliance testing for G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Andrew Woolf, STFC Rutherford Appleton Laboratory Presented by Pedro Gonçalves, Terradue Srl.

Frascati, 2-3 July 2008 Slide 2 HMA-T  Background to G-POD User Management  Objectives  ITT and Proposal information  Open Issues

Frascati, 2-3 July 2008 Slide 3 ESA G-POD Infrastructure  Computing and Storage Elements Working Nodes, +120 TB on-line store Middleware: LCG 2.6, GLOBUS 4, gLite3 Links to external CE and SE (e.g. campus, EGEE…)  Data Interfaces GS products Rolling Archives (ENVISAT, MSG) and MODIS NRT products over Europe NASA and other external data providers  Software resources on-line IDL, Matlab, BEAT, BEAM, BEST, CQFD, Compilers, public domain image processing utilities Spatial Catalogue access (e.g. EOLI) and data provision functions  web portal and web services access powered by gridify, maintenance and evolution under Terradue responsibility

Frascati, 2-3 July 2008 Slide 4 G-POD User Management  Based on the Grid Security Infrastructure (GSI) Secure communications between elements of a computational Grid. Security across organizational boundaries, (without a centrally managed security system) User’s ”Single sign-on", including delegation of credentials for computations that involve multiple resources and/or sites.  GRID Technology develop comprehensive infrastructure to handle common issues: Security and “single sign on” with X509 certificates Cross-community workgroups formation -“Virtual Organizations” Dynamic discovery and utilization of shared resources and services Location transparency (of users, computing resources, data etc.) Workload scheduling and load-balancing Accounting, auditing and traceability

Frascati, 2-3 July 2008 Slide 5 G-POD Web Portal Interface  Temporal/spatial selection of products  Job definition, submission and live status monitoring  Specific result visualization interfaces  Access to output products and documentation

Frascati, 2-3 July 2008 Slide 6 G-POD Web Service

Frascati, 2-3 July 2008 Slide 7 Objectives  WP 4000: HMA User Management for G-POD Objective - Improve the harmonization of the authentication and authorization approaches between HMA and G-POD  WP4300: Conformance testing Objective – Demonstration of conformance to HMA User Management specification (07-118r1)  User management (07-118r1) conformance clause empty Potential additional objective – Propose conformance clause for User Management specification

Frascati, 2-3 July 2008 Slide 8 ITT and Proposal Information  r1 (User management)  Approach: Abstract Test Suite  conformant to ISO  basis for updated Conformance Clause in r1 Evaluate the Possibility of Executable Test Suite  for execution in CITE TEAM Engine Test data and Test Report developed against G-POD implementation of User Management Support

Frascati, 2-3 July 2008 Slide 9 Abstract Test Suite  Follow ISO and template recommended by OWS-5  Covering key clauses in r1 authentication, authorisation, WS-Security (encryption, digest / signature, SAML, interface)

Frascati, 2-3 July 2008 Slide 10 Executable Test Suite  SoW I – Develop, deliver and deploy CITE conformance test scripts (for r1)  Acceptance Test Plan to verify ATS (SoW I15)  ETS developed against ATS  Evaluate the possibility of execution within ESA’s CITE TEAM Engine  Using Compliance Test Language (CTL, )

Frascati, 2-3 July 2008 Slide 11 Test data and Report  Preparation of ancillary test data schema files, authentication credentials, public/private keys, etc.  Test plan validation report executed against G-POD User Management interface Prototype deployed on Terradue G-POD development platform

Frascati, 2-3 July 2008 Slide 12 Support  Support for the possible use of test suite against other implementations e.g. SSE Toolbox  note SSE Toolbox gateway to G-POD already implemented in previous work

Frascati, 2-3 July 2008 Slide 13 Initial thoughts on relevant clauses of r1  WS-Security (cl ) Encryption/decryption of SAML token by authentication service (cl ) Message digest and digital signature (cl )  Authentication Four cases outlined in r1 for federated identity management (cl ) For G-POD, federating entity is the same as Identity Provider  Authorisation workflow Issues Service Request invocation to target service with SAML token, enforced at Policy Enforcement Point (cl )

Frascati, 2-3 July 2008 Slide 14 Initial thoughts on relevant clauses of r1  SAML Profile check token format against WS-Security spec (cl )  Interface Authenticate operation (cl. 7.1)  e.g. encoding of request (cl ), response (cl ), failure (cl ) Service Request operation (cl. 7.2)  i.e. enforcing authorisation at PEP, invoking target operation  check encoding of request (cl ) and invocation failure (cl )

Frascati, 2-3 July 2008 Slide 15 Issues / Risks  r1 – no conformance clauses specified, foreshadowed extension of conformance tests for Cataloguing (06-131), Ordering (06-141), Programming (07-018) proposal addresses r1 conformance separate from above HMA specs  r1 SOAP-based but SOAP/WSDL support identified as future work for CITE TEAM Engine

Frascati, 2-3 July 2008 Slide 16 Issues / Risks  Access to deployments of ESA CITE TEAM Engine and G- POD User management interface (based at development site)  User Management Service Request invocation to G-POD different from {Cataloguing, Ordering, Programming} – extensibility of test scripts to other User Management interfaces?  No federated Identity Management scenario