Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 NMI Testbed Activities at Virginia SURA NMI Testbed Workshop October 1, 2004 Jim Jokl

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 NMI Testbed Activities at Virginia SURA NMI Testbed Workshop October 1, 2004 Jim Jokl"— Presentation transcript:

1 1 NMI Testbed Activities at Virginia SURA NMI Testbed Workshop October 1, 2004 Jim Jokl jaj@Virginia.EDU

2 2 UVa Participation in the NMI Testbed  Context for middleware @ UVa ~19,000 students (~5,000 graduate/professional) ~11,000 faculty and staff Consolidated central computing (ITC)  Academic & administrative computing, network & telecom A separate Hospital Computing group runs the systems that support patient care  NMI Testbed Project @ UVa Marty Humphrey – Computer Science  Focus on the Grid components Jim Jokl – ITC  Focus on the EDIT components

3 3 NMI Authentication & Authorization  Background A few authoritative systems  Email, Unix, Active Directory, some certificates Locally developed Apache module - UVaAuth  Enables authentication against reference systems  User developed applications OK since they do not collect the user name or password  But, no Web single sign on capability  Improving the situation leveraging some of the NMI components PubCookie as a replacement for UVaAuth Shibboleth for inter-institutional applications

4 4 Shibboleth at UVa  Goal: enable use of local UVa credentials to access remote resources with privacy protection  Initial installation & testing of our Shibboleth Origin against the Internet2 test target in February 2003 Clean installation, only headaches were with case sensitivity on a certificate field and some tomcat configuration issues  Initial application: WebAssign for Physics department courses First WebAssign group – April 2003 Production: fall 2003, spring 2004, and now Positive feedback from faculty, no real problems  Next application: JSTOR access Had also done the DLF certificate model earlier with JSTOR More library usage when some of this becomes mandatory and/or more pervasive  Shibboleth@UVa linklink

5 5 PubCookie at UVa  Motivation Replace local UVaAuth WebSO Apache module with PubCookie Obtain Web single sign on functionality  Main tasks Integrated our authentication into Pubcookie source  Added RADIUS and SMB authentication  PubCookie code well designed and easy to work with PubCookie-enable applications (link)link  Applications First application was going to be new student voting system  Didn’t fly due to branding issues on the login screen Testing the IIS version now Plan to work on many applications over the coming year  Web home directory interface, web mail, etc  Once we get enough applications converted, our portal will probably start to use the system

6 UVa Directory System Schematic

7 7 Directory Services  Goals All of the usual ones: a central repository for people, groups, attributes for authorization decisions, white pages, etc  Helpful NMI components LDAP Recipe eduPerson LDAP Analyzer  Upgrades completed eduPerson  Our central systems already had all of the data needed  We do not use eduPersonEntitlement at this time Added to UVaPerson Cisco VPN schema for authorization Provided mechanism for users to upload photos into the directory

8 8 University of Virginia PKI  Project Goal Enable PKI support in a wide range of applications  Deploy two campus CAs to support two types of PKI-enabled applications Standard Assurance CA  For better security on common applications  Improve ease of use on some applications  Identity proofing marginally stronger than used with simple passwords High Assurance CA  For new applications requiring high security and 2-factor authentication  Strong identity validation before certificate is issued

9 9 UVa Standard Assurance CA  Focus: new applications & ease of use  NMI components used PKI-Lite Policy/Practices framework (link)link PKI-Lite certificate profiles  Was designed to support many common applications over time Web authentication VPN authentication S/MIME: signed and encrypted email SSL server certificates EAP-TLS for wireless access control Grid authentication

10 10 Standard Assurance CA Applications  Cisco VPN services UVa-Anywhere remote access VPN  Pair of Cisco 3030 VPN concentrators, configured as full tunnel  Default tunnel transport is now TCP on port 80  Some early problems with some home router software, MTU “More Secure” network VPN  Uses LDAP authorization to prevent student access  Other Applications Web authentication (software download now, more later) Globus toolkit Perhaps Shibboleth & PubCookie in the future

11 11 EAP-TLS Wireless Authentication  User verifies the Radius server’s identity using PKI  The Radius server verifies the user’s identity using PKI  Association is allowed and dynamic session crypto keys are exchanged  Goal: an LDAP-based authorization step will be added soon User Access Point Radius Server LDAP AuthZ

12 12 Standard Assurance CA Applications: Wireless Authentication  Old wireless network Access control via LEAP or MAC registration  Transitioned to new authentication this summer Added an EAP-TLS VLAN, removed LEAP  This is the broadcast SSID Main issue encountered  Old drivers for user’s wireless cards Retaining a legacy MAC registration-only VLAN  Some devices do not support EAP-TLS Will add EAP-TLS VLAN for access to “More Secure” network in the future Some changes were made to the PKI-Lite certificate profile recommendations as a result of this work

13 13 UVa High Assurance CA  Focus Applications requiring high security and 2-factor authentication  NMI component Designed for Higher Education Campus Certificate Policy  Two-step Registration Authority (RA) Process In-person photo identification check User web form and dbase validation protects against a RA  User hardware token required 2-factor authentication, strong private key protection Enables easy mobility, provides idle timeout

14 14 UVa High Assurance CA Applications  Focus on applications needing higher assurance levels using 2-factor authentication SSH authentication for sysadmins of critical systems (ERP system admins and DBAs)  ssh.com commercial server & VanDyke SecureCRT VPN authentication for access to special purpose networks (ERP, HIPAA, etc) Web authentication for network management delegation to department staff Some internal apps: RA, VPN AuthZ mgmt, etc Future  Windows 2000/XP authentication??  Digital signatures and HEBCA applications??

15 15 VPN PKI 2-factor Authentication with LDAP Authorization VPN Concentrators Firewall LDAP AuthZ Servers Oracle ERP S1 S2 S3 Sn Hospital Net INOUT Main Campus Network OUT IN

16 16 Campus Globus Integration  Enable the use of a single set of central campus credentials for Grid applications Focus on intra-campus use Enable different research groups to share more easily  NMI components Globus toolkit PKI-Lite components  The Globus toolkit uses PKI for authentication of users and resources The PKI-Lite certificate profile works well with Globus  Intra-campus CA integration is complicated by the Globus interface Campus CAs and OS-exported certificates are generally in PKCS-12 format Globus expects raw PEM files for the certificate and the private key However, no significant problems for intra-campus use  Our longer-term goal: More use of Globus by campus researchers Build a UVa Grid

17 17 Inter-campus Globus Integration  Goal: support the use of native campus PKI credentials in an inter-institutional Grid Enable users to do all of their work using their local campus credentials  Inter-campus trust is more difficult Hierarchical PKI CAs PKI Bridge CA  Can we make Globus operate in a bridged PKI? OpenSSL PKI in Globus is not bridge-aware  Project: scope intercampus Grid trust issues preparing to leverage Higher Education PKI efforts EDUCAUSE Higher Education Bridge CA (HEBCA)HEBCA Internet2 US Higher Education Root CA (USHER)

18 18 Schematic of Grid Testbed PKI Integration Goal Campus E Grid A’s PKI Testbed Bridge CA Testbed CA Campus B Grid Campus C Grid Campus D Grid Campus A Grid Campus F Grid B’s PKI C’s PKI Cross-cert pairs User Certs

19 19 Inter-campus Testbed Globus Project Activity  Built Testbed Bridge CA Off-line system Used Linux and OpenSSL to build bridge Stored securely when not is use  Cross-certifications UVA UAB TACC USC  We’ll know a lot more in a few weeks

20 20 Grid Computing  Context for Grid computing at UVa Legion (1995 – 2002) GGF  Steering Committee  Security Area Director  OGSA Sec co-director (with Raj Nagaratnam, IBM) HPDC, SC Program Committees NPACI Other Grid efforts: DOE, DOD, NASA IPG OGSI.NET MyProxy (with Jim Basney, NCSA)

21 21 Focus for our involvement in Testbed  Help facilitate quality-control on NMI software It’s incredibly difficult! (e.g., Legion)  Grids on campus As research infrastructure  Grids in the classroom How do we teach middleware to undergrads/grads?  Opportunistically use the NMI components in our existing Grid projects E.g., does this give us the opportunity to explore some issues that we previously didn’t plan to?

22 22 Plan  Already using Globus/NWS/Condor-G in many research projects Replace with NMI “productized versions” of Globus, Condor-G, NWS (“CHARMM portal”)  Investigate issues of integrating with Campus information infrastructure PKI Integration (Re-Visit) Issues of UVa CWVC  Develop course materials for Grids

23 23 Grid Applications for Scientists  Goal - easy access to grid resources for biologists performing protein folding  Biologists want Access to distributed mass storage Transparent remote execution Security/authorization Web-based job submission/steering tools  Solution: Generic grid tools with customized interfaces for scientific apps

24 24 CHARMM R gyr  Molecular Dynamics Simulations (Protein Folding) 100-200 structures to sample (r,R gyr ) space

25 25 NPACI BioPhysics Portal

26 26 Results / Lessons: Research Projects  Transition to NMI versions largely straightforward Immediate upgrades not always necessary  Issues NMI components are not entirely “out-of-the- box perfect” NMI components, at this time, do not contain “full Grid picture”

27 27 Results / Lessons: Integration with Campus Information  Integrating Grids with UVa standard assurance CA Technical integration straightforward Still need to generate tool to ease cert/key installation Create UVa Web page: “Installing NMI Grids at UVa”  Issues Student privacy concerns not always consistent with Grid mechanisms  “Students of CS650 are allowed to execute jobs on grad11.cs.virginia.edu…” Broader: mechanism alone will not “coerce” resource owners to share

28 28 Results / Lessons: Course Material for Grids  Grad CS Class (CS650, F2002 and F2003) briefly introduced Grids In context of Web Services (  “Grid Services”)  Refining for future classes E.g., cs551 Senior-level distributed systems class  Issues Principles vs. “current fad” Is the learning curve too steep?

29 29 Bottom Line  UVa sees NMI as opportunity to “take it to the next level”  General lessons on the use of NMI Research projects: effective, but complex Campus Grid: must want to share In the classroom: principles vs. “current fad”  Very compelling progress in NMI program; more to come UVA Campus Grid project starts today, 10/1/04!

30 30  Comments, questions?  Thanks to many people at UVa and the other testbed sites who worked with us on many of these projects

Download ppt "1 NMI Testbed Activities at Virginia SURA NMI Testbed Workshop October 1, 2004 Jim Jokl"

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
© S.J. Coles 2006 Usability WS, NeSC Jan 06 Experiences in deploying a useable Grid-enabled service for the National Crystallography Service Simon J. Coles.

© S.J. Coles 2006 Usability WS, NeSC Jan 06 Experiences in deploying a useable Grid-enabled service for the National Crystallography Service Simon J. Coles.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.

1 HEPKI-TAG Update EDUCAUSE/Dartmouth PKI Summit July 26, 2005 Jim Jokl University of Virginia.
1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.

1 Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,

GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.

Some Common Campus PKI Applications January 2004 CSG Meeting Jim Jokl.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Similar presentations

Ads by Google