1. Authority, Virtual Organizations and Diagnostics: Building and Managing Complexity Ken Klingenstein Director, Internet2 Middleware and Security

2. Topics  Background on Internet2 Middleware and International efforts  The model: enterprises, federations and virtual organizations; the unified field theory of trust  The deliverables Shibboleth – interrealm exchange of attributes and authorizations Signet – a privilege management system Virtual organizations – serving collaborative communities in science and humanities Diagnostics – when it doesn’t work  The next year or so

3. MACE (Middleware Architecture Committee for Education)  Purpose - to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher education  Membership - Bob Morgan (UW) Chair, Tom Barton (Chicago), Scott Cantor (Ohio State), Steven Carmody (Brown), Michael Gettes (Duke), Keith Hazelton (Wisconsin), Paul Hill (MIT), Jim Jokl (Virginia), Mark Poepping (CMU), Bruce Vincent (Stanford), David Wasley (California), Von Welch (Grid)  European members - Brian Gilmore (Edinburgh), Ton Verschuren (Netherlands), Diego Lopez (Spain)  Creates working groups in major areas, including directories, interrealm access control, PKI, video, P2P, etc.  Works via conference calls, emails, occasional serendipitous in-person meetings...

4. Internet2 Middleware and the NSF Middleware Initiative (NMI)  Internet2 Middleware a major theme for the last five years, drawing support from 206 university members, 75+ corporate members, and government grants and interactions  Internet2 has an integrator role within NMI, the key NSF Program to develop and deploy common middleware infrastructures  NMI has two major themes Scientific computing and data environments (ala Grids) Common campus and inter-institutional middleware infrastructure (ala Internet2/EDUCAUSE/SURA work)  Issues periodic NMI releases of software, services, architectures, objectclasses and best practices – R5 most current release

5. International efforts  Terena as an anchor for a succession of middleware discussions and initiatives  Conspicuous national efforts in Spain, Switzerland, The Netherlands, the Nordic countries and a few other European countries.  Major initiative now underway by JISC in the UK, with coordinated advancement in authorization, virtual organizations, digital rights management, and other areas.  Australian efforts rapidly advancing; the rest of the Pacific Rim lags…

6. The Model: Enterprises and Federation  Given the strong collaborations within the academic community, there is an urgent need to create inter-realm tools, so  Build consistent campus and enterprise middleware infrastructure deployments, with outward facing objectclasses, service points, etc. and then  Federate those enterprise deployments, using the outward facing campus infrastructure, with interrealm attribute transports, trust services, etc. and then  Leverage that federation to enable a variety of applications from network authentication to instant messaging, from video to web services, and then, going forward  Create tools and templates that support the management and collaboration of virtual organizations by building on the federated campus infrastructures.

7. Middleware Axioms  Work the core areas  Focus on support for collaboration  Use federated administration as the lever; have the enterprise broker most services (authentication, authorization, resource discovery, etc.) in inter-realm interactions  Develop a consistent directory infrastructure within R&E  Provide security while not degrading privacy.  Foster interrealm trust fabrics: federations and virtual organizations  Leverage campus expertise and build rough consensus  Support for heterogeneity and open standards  Influence the marketplace; develop where necessary

8. A Map of Campus Middleware Land

9. Federated administration OTOT OTOT TT A CM CM A VO T Campus 1 Campus 2 Federation

10. Unified field theory of Trust  Bridged, global hierarchies of identification-oriented, often government based trust – laws, identity tokens, etc. Passports, drivers licenses Future is typically PKI oriented  Federated enterprise-based; leverages one’s security domain; often role-based Enterprise does authentication and attributes Federations of enterprises exchange assertions (identity and attributes  Peer to peer trust; ad hoc, small locus personal trust A large part of our non-networked lives New technology approaches to bring this into the electronic world. Distinguishing P2P apps arch from P2P trust  Virtual organizations cross-stitch across one of the above

11. The Deliverables  Shibboleth – a secure, privacy-preserving transport for attributes between realms and within federations  Signet – a meta-authority system that leverages enterprise roles to drive sophisticated authorization options  Virtual organizations – combining enterprise services with stand-alone services to provide consistency and transparency to the VO participants  Diagnostics – coupling existent and yet-to-be-defined exception handling across a multi-layered (application, middleware, security, network) distributed environment

12. Shibboleth Architecture

13. Milestones  Project formation - Feb 2000 Stone Soup; process began late summer 2000 with bi-weekly calls to develop scenario, requirements and architecture.  Linkages to SAML established Dec 2000  Architecture and protocol completion - Aug 2001  Design - Oct 2001  Coding began - Nov 2001  Alpha-1 release – April 24, 2002  OpenSAML release – July 15, 2002  v1.0 April 2003; v1.1 July 2003; v1.2 May 2004  v2.0 likely end of the major evolution

14. Shibboleth Status  Open source, privacy preserving federating software  Being very widely deployed in US and international universities  Target - works with Apache(1.3 and 2.0) and IIS targets; Java origins for a variety of Unix platforms.  V1.3 likely to include portal support, identity linking, non web services (plumbing to GSSAPI,P2P, IM, video) etc.  Work underway on intuitive graphical interfaces for the powerful underlying Attribute Authority and resource protection  Likely to coexist well with Liberty Alliance and may work within the WS framework from Microsoft.  Growing development activities in several countries, providing resource manager tools, digital rights management, listprocs, etc.  http://shibboleth.internet2.edu/

15. Adoption  Over 50 + universities using it for access to OCLC, JSTOR, Elsevier, WebAccess, Napster, etc.  Common status is “moving into production”  The hard part is not installing Shibboleth but running “plumbing” to it: directories, attributes, authentication  Deployments in Europe, the UK, South America and Australia  Needs federations to scale; being adopted by, or catalyzing, national R&E federations in several countries

16. Signet: Stanford Authority System

17. Signet Deliverables The deliverables consist of  A recipe, with accompanying case studies, of how to take a role-based organization and develop apprpriate groups, policies, attributes etc to operate an authority service  Templates and tools for registries and group management  a Web interface and program APIs to provide distributed management (to the departments, to external programs) of access rights and privileges, and  delivery of authority information through the infrastructure as directory data and authority events.

18. Home

19. Grant Authority Wizard

20. Virtual Organizations  Geographically distributed, enterprise distributed community that shares real resources as an organization.  Examples include team science (NEESGrid, HEP, BIRN, NEON), digital content managers (library cataloguers, curators, etc), life-long learning consortia, etc.  On a continuum from interrealm groups (no real resource management, few defined roles) to real organizations (primary identity/authentication providers)  Want to leverage enterprise middleware and external trust fabrics

21. Virtual Organizations  Some things seem consistent across almost all VO’s The need to manage and delegate VO authorizations Unique naming, and managed resource discovery A set of collaboration tools, including a list manager, calendar, shared web content management, etc that are seamlessly integrated into users’ everyday environment A need to factor in, and leverage, local domain requirements and capabilities  Some things are specific to each VO The members and the resources being managed Requirements for advanced services, such as Grids and instrument management

22. Virtual organizations  Need a model to support a wide variety of use cases Native v.o. infrastructure capabilities, differences in enterprise readiness, etc. Variations in collaboration modalities Requirements of v.o.’s for authz, range of disciplines, etc  JISC in the UK has lead; solicitation is on the streets (see (http://www.jisc.ac.uk/c01_04.html); builds on NSF NMIhttp://www.jisc.ac.uk/c01_04.html  Tool set likely to include seamless listproc, web sharing, shared calendaring, real-time video, privilege management system, etc.

23. Leveraging V.O.s Today VO Target Resource User Enterprise Federation

24. Leveraged V.O.s Tomorrow VO Target Resource User Enterprise Federation Collaborative Tools Authority System etc

25. Middleware Diagnostics Problem Statement The number and complexity of distributed application initiatives and products has exploded within the last 5 years Each must create its own framework for providing diagnostic tools and performance metrics Distributed applications have become increasingly dependent not only on the system and network infrastructure that they are built upon, but also each other Middleware diagnostics need to integrate with network performance diagnostics and security diagnostics

26. Goals Create an event collection and dissemination infrastructure that uses existing system, network and application data (Unix/WIN logs, SNMP, Netflow ©, etc.) Establish a standardized event record that normalizes all system, network and application events into a common data format Build a rich tool platform to collect, distribute, access, filter, aggregate, tag, trace, probe, anonymize, query, archive, report, notify, perform forensic and performance analysis

27. Cisco NetFlow Events RMON Events Event Record Standard Normalization of each diagnostic data feed type (SHIB, HTTP, Syslog, RMON, etc.) into a common event record The tagging of specific events to help downstream correlation processes DB Access Log SHIB log HTTP Access log GRID Application Log Normalization And Event Tagging NETFLOW:TIME:SRC:DST:… RMON:HOST:TIME:DSTPORT.. DB:TIME:HOST:REQ:ASTRON SHIB:TIME:HOST:UID… HTTP:TIME:HOST:URL… GRIDAPP:TIME:HOST:UID:… Variable Star Catalog DB Application

28. Diagnostic Data Pipelining Data flows can be constructed to provide the desired function and policy within a enterprise or federation Filter C-4 Network Events ArchiveDBAnonimizationTaggingAggregationNormalization C-3 C-1 P-1 C-2 P-2 P-3 P-4 P-5 C-* Collection Module Host P-* Processing Module Host Host or Security Events

29. Event Record Event Descriptor Meta Field Event Descriptor Version Number Observation Description Pointer ID – unique event identifier Time - start/stop IP Address(es) – source/(destination) Source Class – application, network, system, compound, bulk, management Event Name Tag – Native language ID, user defined Status – normal, informational, warning, measurement, critical, error, etc. Major Source Name – filename, Netflow, Syslogd, SNMP, shell program, etc. Minor Source Name – logging process name (named), SNMP variable name, etc. Raw Data Encoding Mechanism – Binary, ASN1, ASCII, XML, etc. Raw Event Data Description Pointer Raw Event Data

30. The next year or so  An integrated marketplace for identity management services, packaged with work, home and personal forms  Federations and international peering of trust  More integration between Grids and enterprises  Virtual organization services A mix of enterprise, community and outsourced options  Adaptation of Signet-type privilege management New business models for content and service providers  Diagnostic hell Things will get much worse before they get better