MetaCentrum – the Czech computational grid Martin Kuba CESNET and Masaryk University Brno, Czech Republic.

Slides:

Advertisements

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

Advertisements

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

MyProxy: A Multi-Purpose Grid Authentication Service

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Access Control Chapter 3 Part 3 Pages 209 to 227.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Grid Security. Typical Grid Scenario Users Resources.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Security Mechanisms The European DataGrid Project Team

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

WebFTS as a first WLCG/HEP FIM pilot

11 September 2007Milos Lokajicek Institute of Physics AS CR Prague Status of the GRID in the Czech Republic NEC’2007.

Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.

Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

KX509: Leveraging Kerberos to Obtain Digital Certificates for Web Client Authentication University of Michigan Kevin Coffman Bill Doster.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Unit 1: Protection and Security for Grid Computing Part 2

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Identity Management in the Environment of Mendel University in Brno Milan Šorm.

Sudha Iyer Principal Product Manager Oracle Corporation.

Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

PKI Activities at Virginia September 2000 Jim Jokl

October 2002 INFN Catania 1 The (LHCC) Grid Project Initiative in Prague Dagmar Adamova INP Rez near Prague.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

HEPIX - HEPNT, 1 Nov Milos Lokajicek, IP AS CR, Prague1 Status Report - Czech Republic HEP Groups and experiments Networking and Computing Grid activities.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

7 March 2000EU GRID Project Proposal Meeting CERN, M. Lokajicek 1 Proposal for Participation of the Czech Republic in the EU HEP GRID Project Institute.

Grid technology Security issues Andrey Nifatov A hacker.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.

Project Moonshot Daniel Kouřil EGI Technical Forum

1 Example security systems n Kerberos n Secure shell.

Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,

Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.

Grid activities in Czech Republic Jiri Kosina Institute of Physics of the Academy of Sciences of the Czech Republic

Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.

Open OnDemand: Open Source General Purpose HPC Portal

Federation made simple

Data and Applications Security Developments and Directions

Presentation transcript:

MetaCentrum – the Czech computational grid Martin Kuba CESNET and Masaryk University Brno, Czech Republic

MetaCentrum - the Czech computational grid2 Highlights MetaCentrum is a computing infrastructure pooling resources contributed by several universities, using AFS and Kerberos the mod_auth_kerb module for the Apache http server is maintained by Dan Kouřil of MetaCentrum Kerberos support for Firefox/Mozilla was developed in MetaCentrum

MetaCentrum - the Czech computational grid3 History of MetaCentrum MetaCentrum was established in 1996 as a supercomputing meta-center consisting of –Supercomputing Center at Masaryk University in Brno –Supercomputing Center at University of West Bohemia in Plzeň –Supercomputing Center at Charles University in Prague later included –CESNET – operator of the Czech NREN (academic network) –University of South Bohemia in České Budějovice (Budweis) –University of Technology in Brno now connects 15 computer clusters consisting of 290 machines with 1500 CPUs, located in six geographical locations

MetaCentrum - the Czech computational grid4 MetaCentrum map

MetaCentrum - the Czech computational grid5 MetaCentrum users MetaCentrum is open and free for the Czech academic community users can be scientists or students from –26 public universities –57 institutes of the Czech Academy of Sciences challenges in establishing user identity users run applications for –computational chemistry –structural biology, protein engineering –material and structural simulations –liquid and gas flow simulations –mathematics, number theory –speech recognition and generation

MetaCentrum - the Czech computational grid6 Future of MetaCentrum MetaCentrum was involved in the DataGrid, EGEE I,II,III and EGI Design Study projects the coming European Grid Infrastructure (EGI) is organized in National Grid Infrastructures (NGIs) MetaCentrum is now transforming into the Czech NGI, its free resources will be one of many VOs (Virtual Organizations)

MetaCentrum - the Czech computational grid7 Infrastructure clusters of linux x86-compatible machines –strongest machines have 8x quadcore Opteron (32 cores), 256GB user accounts are maintained by own system Perun –Oracle database holding users, machines, accounts, etc. –master-slave architecture, generating local config files on changes several file systems (local,NFSv3,NFSv4,AFS) single sign-on using Kerberos –first access using Kerberos PAM module –Kerberized ssh, telnet, ftp, rsh (MPI needs) workload management system PBSPro, moving to Torque –Kerberized, own ticket renewal system for long running jobs web portal, supports Kerberos, SSL certs, Shibboleth,...

MetaCentrum - the Czech computational grid8 File systems several file systems for various needs –fast, but small and not shared – local HDD or SSD –large and shared, but slower - NFSv4 on all machines (100TB) –home directories shared by NFSv3 on local clusters –software installed on AFS with multiple read-only copies –experiments with Lustre for shared network scratch for shared FS we need Kerberos authN (not trusting admins of clients), thus NFSv4 or AFS both can be installed on user workstations from standard SUSE/Debian/Ubuntu repositories AFS is slow compared to NFSv4 both support ACL, AFS only directories, NFSv4 also files AFS supports multiple read-only copies

MetaCentrum - the Czech computational grid9 User authentication users can come from many of institutions ways of establishing user identity on web portal –paper application with boss’ signature (slow and too much work) –SSL client certificates (complicated, needs visit to RA) –eduroam (Wi-Fi federation) –access to local ID system (WebAuth, LDAP, Kerberos) –SAML (Shibboleth) identity federation eduId.cz after establishing identity, MetaCentrum account is created, annual renewal in exchange for report of activities authN to MetaCentrum machines –Kerberos –username/password translated to Kerberos –One Time Passwords translated to Kerberos

MetaCentrum - the Czech computational grid10 User authentication to web portal users manage their account through web portal authentication in web browser –username/password (HTTP basic auth) to mod_auth_kerb creates Kerberos ticket on the web server mod_auth_kerb maintained by Daniel Kouřil of MetaCentrum used by majority of users –Negotiate – GSSAPI Kerberos needs negotiation support in browser (MSIE and Konqueror have) support for Firefox/Mozilla was created as bachelor thesis in MetaCentrum and later included into the Firefox sources used only by our security experts –SSL client X509 certificates from grid Certification Authorities grid certificates have unique Distinguished Names best method, no typing or clicking, but used by few created new mod_ssl_preauth to have SSL client certs and other auth modules on one URL

MetaCentrum - the Czech computational grid11 USB tokens we tried USB token (Rainbow iKey 3000) for storing private key and certificate PKCS11 device encrypts and signs internally, never gives out the private key unsuccessful experiment –connector damaged after weeks –many applications do not support –problems with drivers –uncomfortable, must be connected to computer during work

MetaCentrum - the Czech computational grid12 Real authentication in MetaCentrum typical user authentication: –account created after authentication using identity federation user selects username and password –first login using username/password to frontend machine kerberos ticket and AFS tokens on the frontend machine –jobs submitted using kerberized PBSPro delegates kerberos ticket and AFS tokens –login to computing machines using kerberized ssh delegates kerberos ticket and AFS tokens –long running jobs have Kerberos tickets renewed using krb525 MetaCentrum maintains its own accounts in Kerberos –Shibboleth identity federation so far works only on web –no dependence on external services

MetaCentrum - the Czech computational grid13 Thank you Thank you for your attention Questions ?