Grid Computing in Higher Education (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 15, 2008

2 Overview Brief introduction to Grids Why PKI is important for Grid computing International Grid Trust Federation - IGTF The Americas Grid Policy Management Authority - TAGPMA

3 Brief Introduction to Grids Some research activities require massive compute and/or data storage capability – usually associated with supercomputing needs –E.g. particle & nuclear physics modeling, protein folding, financial modeling, earthquake simulation, climate/weather modeling Not everyone has the resources to build a Supercomputer. Those fortunate enough to have a Supercomputer, may not have local resources that utilize its full potential 100% of the time Grid computing is distributed computing that brings the power of Supercomputing to the masses by creating a large and powerful self managing virtual computer out of a large collection of connected heterogeneous systems sharing various combinations of resources. The traditional Supercomputer has massive co-located processors and storage connected via a high speed bus – the traditional Grid computing setup utilizes many individual networked machines managed via a common interface to provide similar benefits

4 Examples of Grid Projects Open Science Grid ( –OSG is a consortium of software, service and resource providers and researchers, from universities, national laboratories and computing centers across the U.S., who together build and operate the OSG project. The project is funded by the NSF and DOE, and provides staff for managing various aspects of the OSG TeraGrid ( –TeraGrid is an open scientific discovery infrastructure combining leadership class resources at eleven partner sites to create an integrated, persistent computational resource. Resource Provider sites include: Indiana University, Oak Ridge National Laboratory, National Center for Supercomputing Applications, Pittsburgh Supercomputing Center, Purdue University, San Diego Supercomputer Center, Texas Advanced Computing Center, University of Chicago/Argonne National Laboratory, the National Institute for Computational Sciences, the Louisiana Optical Network Initiative, and the National Center for Atmospheric Research. SuraGrid ( –SURAgrid is a consortium of 30+ organizations collaborating and combining resources to help bring grid technology to the level of seamless, shared infrastructure. The vision for SURAgrid is to orchestrate access to a rich set of distributed capabilities in order to meet diverse users' needs. Capabilities to be cultivated include locally contributed resources, project-specific tools and environments, highly specialized or HPC access, and gateways to national and international cyberinfrastructure.

5 PKI in Grid Computing Why PKI is critical to grid computing –Massive compute power in the wrong hands can be extremely dangerous so there is a need for strong authentication of researchers who access Grid computing resources –PKI provides a cryptographic binding of researcher identities to an authentication token, and provides a mechanism for a central virtual organization to manage those credentials e.g. revoke if required –PKI facilitates the establishment of the trust infrastructure needed to create the virtual Supercomputer and secures communications between nodes in the Grid –PKI allows multiple local authorities to be trusted globally via a set of commonly agreed policies and practices for operational consistency

6 IGTF

7 International Grid Trust Federation IGTF founded in Oct, 2005 at GGF 15 IGTF Purpose: –Manage authentication services for global computational grids via policy and procedures IGTF goal: –harmonize and synchronize member PMAs policies to establish and maintain global trust relationships IGTF members: –3 regional Policy Management Authorities EUgridPMA APgridPMA TAGPMA 100+ CAs, 100,000+ credentials

8 IGTF general Architecture The member PMAs are responsible for accrediting authorities that issue identity assertions. The IGTF maintains a set of authentication profiles (APs) that specify the policy and technical requirements for a class of identity assertions and assertion providers. The management and continued evolution of an AP is assigned by the IGTF to a specific member PMA. –Proposed changes to an AP will be circulated by the chair of the PMA managing the AP to all chairs of the IGTF member PMAs. Each of the PMAs will accredit credential-issuing authorities and document the accreditation policy and procedures. Any changes to the policy and practices of a credential-issuing authority after accreditation will void the accreditation unless the changes have been approved by the accrediting PMA prior to their taking effect.

9 Green: EMEA countries with an Accredited Authority  23 of 25 EU member states (all except LU, MT)  +AM, CH, HR, IL, IS, MA, NO, PK, RO, RS, RU, TR, UA, ME, MK, SEE-GRID + CA, CERN (int), DoEGrids* Other Accredited Authorities:  DoEGrids (.us), GridCanada (.ca), CERN, SEE catch-all EUGridPMA members and applicants

10 EUgridPMA Membership X.509 certificate authorities –50 CAs accredited from 44 organizations –active applicants: 8 organizations Major relying parties –EGEE, DEISA, SEE-GRID, LCG, TERENA, OSG

11 Ex-officio Membership APAC (Australia) CNIC/SDG, IHEP (China) AIST, KEK, NAREGI (Japan) KISTI (Korea) NGO (Singapore) ASGCC, NCHC (Taiwan) NECTEC, ThaiGrid (Thailand) PRAGMA/UCSD (USA) General Membership U. Hong Kong (China) U. Hyderabad (India) Osaka U. (Japan) USM (Malaysia) Map of the APGrid PMA

12 APgridPMA Membership 14 Accredited CAs AIST (Japan) APAC (Australia) ASGCC (Taiwan) CNIC (China) IHEP (China) KEK (Japan) NAREGI (Japan) NCHC (Taiwan) NECTEC (Thailand) NGO (Singapore) KISTI (Korea) ThaiGrid (Thailand) C-DAC (India) UCSD (USA) General membership –Osaka U. (Japan) –U. Hong Kong (China) –U. Hyderabad (India) –USM (Malaysia)

13 TAGPMA

14 TAGPMA Membership Accredited –Argentina UNLP –Brazilian Grid CA –CANARIE (Canada)* –Chile REUNA CA –DOEGrids Root* –DOEGrids Classic* –EELA LA Catch all Grid CA –ESnet/DOE Office Science* –Mexico UNAM –NCSA – MICS –NCSA – SLCS –TACC – Root –Venezuela In Review –FNAL –Purdue University –TACC – Classic/SLCS –Virginia –USHER Relying Parties –Dartmouth/HEBCA –EELA –OSG –SDSC –SLAC –TeraGrid –TheGrid –LCG *Accredited by EUgridPMA

15 IGTF Certificate Profiles Classic X.509 CA Profile –Created and managed by EUGridPMA – SLCS Profile –Short Lived Credential Service –Created and managed by TAGPMA – MICS Profile –Member Information Credential Service –Created and managed by TAGPMA – Classic X.509 High Root Profile –Created and managed by EUGridPMA – Experimental CA –Created and managed by APGridPMA –

16 Proposed Inter-federations FBCA CA-1CA-2 CA-n Cross-cert HEBCA Dartmouth Wisconsin Texas Univ-N UVA USHER DST ACES Cross-certs SAFECertiPath NIH CA-1 CA-2CA-3 CA-4 HE JP AusCert CAUDIT PKI CA-1 CA-2 CA-3 HE BR Cross-certs Other Bridges IGTF C-4

17 High Medium Hardware CBP Medium Software CBP Basic Rudimentary C-4 High Medium Basic Rudimentary Foundation Classic Ca SLCS MICS FPKI IGTF HEBCA/USHER Classic Strong E-Auth Level 1 E-Auth Level 2 E-Auth Level 3 E-Auth Level 4 E-AUTH

18 Summary PKI facilitates Grid computing infrastructure –It allows components to be reliably authenticated –It allows users to be strongly authenticated –It facilitates secure communications and transactions –It facilitates management of virtual organizations Your school’s own PKI credentials can be utilized for Grid computing –Your certificate authority must be accredited by the IGTF (TAGPMA is the local body) –You must issue credentials matching one of the approved profiles

19 For More Information TAGPMA Website: Scott Rea -