Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet2 Middleware Activities Progress. Internet2 All staff tutorial Nov.28, 2001 Acknowledgments MACE and the working groups NSF catalytic grant and.

Published byVivien Nash Modified over 9 years ago

Similar presentations

Presentation on theme: "Internet2 Middleware Activities Progress. Internet2 All staff tutorial Nov.28, 2001 Acknowledgments MACE and the working groups NSF catalytic grant and."— Presentation transcript:

1 Internet2 Middleware Activities Progress

2 Internet2 All staff tutorial Nov.28, 2001 Acknowledgments MACE and the working groups NSF catalytic grant and meeting Early Adopters Higher Education partners - campuses, EDUCAUSE, CREN, AACRAO, SURA, NACUA, etc. Corporate partners - IBM, ATT, Sun, Accord, Metamerge, et al. Government partners - including NSF and the fPKI TWG

3 Internet2 All staff tutorial Nov.28, 2001 Activites Integration MACE RL“Bob”Morgan ( Washington) Early Harvest / Early Adopters –Renee Frost (Michigan) Shibboleth - Steven Carmody (Brown) Vid Mid - Ken Klingenstein (Colorado) VC- Egon Verharen (SURFnet) VoD- Mairead Martin (Tennessee) NSF Middleware Initiative – Internet2, EDUCAUSE, SURA and The GRIDs Center Medical Middleware - Rob Carter ( Duke), Jack Buchanan (UT Health Science Ctr) Core MACE- Dir Keith Hazelton (Wisconsin) Groups- Tom Barton (Memphis) Metadirectories - Keith Hazelton (Wisconsin) Directory of Directories for Higher Ed - Michael Gettes (Georgetown) EduPerson and EduOrg - Keith Hazelton ( Wisconsin) LDAP Recipe - Michael Gettes (Georgetown ) HEPKI-TAG and PAG - Jim Jokl (Virginia) and Ken Klingenstein ( Colorado) HEBCA - Mark Luker (EDUCAUSE) PKI Labs - Dartmouth and Wisconsin

4 Internet2 All staff tutorial Nov.28, 2001 MACE (Middleware Architecture Committee for Education) Purpose - to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher education Creates working groups in major areas, including directories, interrealm authentication, PKI, medical issues, etc. Works via conference calls, emails, occasional serendipitous in-person meetings... US Members Bob Morgan (UW) ChairScott Cantor (Ohio State) Steven Carmody (Brown) Keith Hazelton (Wisconsin) Paul Hill (MIT) Michael Gettes (Georgetown) Jim Jokl (Virginia)Mark Poepping (CMU) Bruce Vincent (Stanford) David Wasley (California) Von Welch (Grid) European members Brian Gilmore (Edinburgh) Ton Verschuren (Netherlands)

5 Internet2 All staff tutorial Nov.28, 2001 National Science Foundation Catalytic grant in Fall 99 started the organized efforts, with Early Harvest and Early Adopters NSF Middleware Initiative - three year cooperative agreement, begun 9/1/01, with Internet2/EDUCAUSE/SURA and the GRIDs Center, to develop and deploy a national middleware infrastructure for science, research and higher education Work products are community standards, best practices, schema and object classes, reference implementations, open source services, corporate relations Work areas are identifiers, directories, authentication, authorization, GRIDs, PKI, video

6 Internet2 All staff tutorial Nov.28, 2001 Early Harvest NSF funded workshop in Fall 99 and subsequent activities Defined the territory and established a work plan Best practices in identifiers, authentication, and directories (http://middleware.internet2.edu/internet2-mi-best-practices-00.html) http://middleware.internet2.edu/earlyharvest/

7 Internet2 All staff tutorial Nov.28, 2001 Early Adopters: The Campus Testbed Phase A variety of roles and missions Commitment to move implementation forward Provided some training and facilitated support Develop national models of deployment alternatives Address policy standards Profiles and plans are on Internet2 middleware site http://middleware.internet2.edu/earlyadopters/ Participants: Dartmouth, Hawaii, Johns Hopkins, Maryland- Baltimore County, Memphis, Michigan Tech, Michigan, Pittsburgh, Tennessee Health Science Center, Tufts, USC

8 Internet2 All staff tutorial Nov.28, 2001 What is Middleware? specialized networked services that are shared by applications and users a set of core software components that permit scaling of applications and networks tools that take the complexity out of application integration a second layer of the IT infrastructure, sitting above the network a land where technology meets policy the intersection of what networks designers and applications developers each do not want to do

9 Internet2 All staff tutorial Nov.28, 2001 A Map of Middleware

10 Internet2 All staff tutorial Nov.28, 2001 Core Middleware Identity - unique markers of who you (person, machine, service, group) are Authentication - how you prove or establish that you are that identity Directories - where an identity’s basic characteristics are kept Authorization - what an identity is permitted to do PKI - emerging tools for security services

11 Internet2 All staff tutorial Nov.28, 2001 The Major Projects eduPerson and eduOrg (mace-dir) the Directory of Directories for Higher Education (DoDHE) Shibboleth (mace-shibboleth) and Webiso (mace-webiso) Directories metadirectories groups affiliated directories HEBCA and PKI-Light (HEPKI-PAG and HEPKI-TAG) PKI Labs at Dartmouth and Wisconsin Videoconferencing and video on demand (vidmid) OKI, JA-SIG and the Grids

12 Internet2 All staff tutorial Nov.28, 2001 eduPerson A directory objectclass intended to support inter-institutional applications Fills gaps in traditional directory schema For existing attributes, states good practices where known Specifies several new attributes and controlled vocabulary to use as values. Provides suggestions on how to assign values, but it is up to the institution to choose. Version 1.0 now done; one or two revisions anticipated

13 Internet2 All staff tutorial Nov.28, 2001 eduPerson 1.0 parent objectclass=inetOrgPerson includes: affiliation (multi-valued) primary affiliation (faculty/student/staff) orgUnitDN (string) nickname (string) ePPN (identifier, user@securitydomain) version 1.5 and beyond will contain other shared attributes

14 Internet2 All staff tutorial Nov.28, 2001 A Directory of Directories an experiment to build a combined directory search service to show the power of coordination will highlight the inconsistencies between institutions technical investigation of load and scaling issues, centralized and decentralized approaches human interface issues - searching large name spaces with limits by substring, location, affiliation, etc... to suggest the service to follow Sun donation of server and 6 million DNs http://dodhe.internet2.edu/dodhe/

15 Internet2 All staff tutorial Nov.28, 2001 Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. - Webster's Revised Unabridged Dictionary (1913):Webster's Revised Unabridged Dictionary (1913)

16 Internet2 All staff tutorial Nov.28, 2001 Shibboleth inter-institutional web authentication and basic authorization authenticate locally, act globally - the Shibboleth shibboleth emphasizes privacy through progressive disclosure of attributes linked to commercial standards development in XML through OASIS scenarios and architecture done; coding has commenced with alpha code due in January, 2002 to pilot sites coding and design teams feature IBM/Tivoli, CMU, and the Ohio State University strong partnership with IBM to develop and deploy http://middleware.internet2.edu/shibboleth/

17 Internet2 All staff tutorial Nov.28, 2001 Stage 1 - Addressing Three Scenarios Member of campus community accessing licensed resource Anonymity required Member of a course accessing remotely controlled resource Anonymity required Member of a workgroup accessing controlled resources Controlled by unique identifiers (e.g. name) Taken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.

18 Internet2 All staff tutorial Nov.28, 2001 Target Web Server Origin Site Target Site Browser Authentication Phase First Access - Unauthenticated Authorization Phase Pass content if user is allowed Shibboleth Architecture Concepts - High Level

19 Internet2 All staff tutorial Nov.28, 2001 Middleware Inputs & Outputs Grids JA-SIG & uPortalOKIInter-realmcalendaring Shibboleth, eduPerson, Affiliated Dirs, etc. EnterpriseDirectoryEnterpriseAuthenticationLegacySystemsCampus web SSO futures EnterpriseauthZ LicensedResourcesEmbedded App Security Shibboleth, eduPerson, and everything else

20 Internet2 All staff tutorial Nov.28, 2001 Project Status Architecture definition finished (v0.9+) Design/Programming now Underway Team membership drawn from IBM/Tivoli, CMU, Ohio State First Face-to-Face meeting on Sept 27, 28 at CMU First Set of Pilot Sites Selected Chosen to test all 3 scenarios UK participation Timeline for programming Stage I alpha code Feb 2002 Stage II beta code June 2002 Stage III release summer 2002

21 Internet2 All staff tutorial Nov.28, 2001 A Campus Directory Architecture Metadirectory Enterprise directory Dir DB Departmental directories OS directories (MS, Novell, etc) Border directory Registries Source systems

22 Internet2 All staff tutorial Nov.28, 2001 Metadirectories The critical functions to glue together what inevitably turns out to be a number of campus, departmental and application-oriented directory services Typically a coordinated set of services that watches updates to specific directories or from legacy data feeds and spreads those updates to other directories Performs several subfunctions an identity registry or crosswalk to relate entries in different directories a set of connectors that take changes from one source and convert them for dissemination to other sources Basic implementation from Metamerge is free to higher ed

23 Internet2 All staff tutorial Nov.28, 2001 Directories – Group Management Best practices in the use of core middleware to meet the authorization and messaging needs of applications Initial foci are: 1)the conduct of a survey of several organizations' practices in this area and 2)investigations into meaningful definitions of, and productive ways of representing and operating on, "groups", "affiliations", "roles", and "correlations". Groups Practices Survey http://middleware.internet2.edu/dir/groups/

24 Internet2 All staff tutorial Nov.28, 2001 PKI: A few observations Think of it as wall jack connectivity, except it’s connectivity for individuals, not for machines, and there’s no wall or jack…but it is that ubiquitous and important Does it need to be a single infrastructure? What are the costs of multiple solutions? Subnets and ITPs... Options breed complexity; managing complexity is essential PKI can do so much that right now it does very little

25 Internet2 All staff tutorial Nov.28, 2001 A few more... IP connectivity was a field of dreams. We built it and then the applications came. Unfortunately, here the applications have arrived before the infrastructure, making its development much harder. No one seems to be working on the solutions for the agora. A general-purpose PKI seems like a difficult task, but instituting a PKI Light as a first step may not have enough paybacks.

26 Internet2 All staff tutorial Nov.28, 2001 The general state of PKI There are campus and corporate successes Corporations use internally for VPN, some authentication, signed email (with homogeneous client base) MIT, UT medical, soon VA, UCOP Key is limited application use, lightweight policy approaches There is very limited interrealm, community of interest or general interoperable work going on Federal efforts HealthKey Higher Ed Some European niches

27 Internet2 All staff tutorial Nov.28, 2001 The Four Planes of PKI on the road to general purpose interrealm PKI the planes represent different levels of simplification from the dream of a full interrealm, intercommunity multipurpose PKI simplifications in policies, technologies, applications, scope each plane provides experience and value

28 Internet2 All staff tutorial Nov.28, 2001 The Four Planes are: Full interrealm PKI - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues Simple interrealm PKI - multipurpose within a community, operating under standard policies and structured hierarchical directory services PKI-Light - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; may be extended within selected communities PKI-Ultralight - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane...

29 Internet2 All staff tutorial Nov.28, 2001 D. Wasley’s PKI Puzzle

30 Internet2 All staff tutorial Nov.28, 2001 Uses for PKI and Certificates authentication and pseudo-authentication signing docs encrypting docs and mail non-repudiation secure channels across a network authorization and attributes secure multicast and more...

31 Internet2 All staff tutorial Nov.28, 2001 PKI Components X.509 v3 certs - profiles and uses Validation - Certificate Revocation Lists, OCSP, path construction Cert management - generating certs, using keys, archiving and escrow, mobility, etc. Directories - to store certs, and public keys and maybe private keys Trust models and I/A Cert-enabled apps

32 Internet2 All staff tutorial Nov.28, 2001 Directories to store certs to store CRL to store private keys, for the time being to store attributes implement with border directories, or ACLs within the enterprise directory, or proprietary directories

33 Internet2 All staff tutorial Nov.28, 2001 Certificate Policies (CP) and Practices Statements (CPS) Policies: legal responsibilities and liabilities (indemnification issues) Operations of certificate management systems Will hopefully be somewhat uniform across the community Assurance levels - varies according to I/A processes and other operational factors Practices - site-specific details of operational compliance with a cert policy A Policy Management Authority (PMA) determines if a CPS is adequate for a given CP.

34 Internet2 All staff tutorial Nov.28, 2001 Inter-organizational trust model components verifying sender-receiver assurance by finding a common trusted entity must traverse perhaps branching paths to establish trust paths must then use CRLs etc. to validate assurance if policies are in cert payloads, then validation can be quite complex delegation makes things even harder Hierarchies vs. Bridges a philosophy and an implementation issue the concerns are transitivity and delegation hierarchies assert a common trust model bridges pairwise agree on trust models and policy mappings

35 Internet2 All staff tutorial Nov.28, 2001 VidMid Middleware for video Videoconferencing authenticated, identified video clients - work with commercial clients to use the underlying middleware plumbing H.323, VRVS, and new SIP-oriented clients Video on demand access controls for video resources schema for meta information Works closely with ViDe (www.vide.org) http://middleware.internet2.edu/video/ aggressive time frames

36 Internet2 All staff tutorial Nov.28, 2001 Mace-Med Unique requirements - HIPAA, disparate relationships, extended community, etc. Unique demands - 7x24, visibility PKI seen as a key tool Mace-Med recently formed to explore the issues

37 Internet2 All staff tutorial Nov.28, 2001 HEPKI (www.educause.edu/hepki/) HEPKI - Technical Activities Group (TAG) universities actively working technical issues topics include Kerberos-PKI integration, public domain CA, profiles regular conference calls, email archives HEPKI - Policy Activities Group (PAG) universities actively trying to deploy PKI topics include certificate policies, RFP sharing, interactions with state governments regular conference calls, email archives

38 Internet2 All staff tutorial Nov.28, 2001 Internet2 PKI Labs At Dartmouth and Wisconsin in computer science departments and IT organizations Doing the deep research - two to five years out Policy languages, path construction, attribute certificates, etc. National Advisory Board of leading academic and corporate PKI experts provides direction Catalyzed by startup funding from ATT

39 Internet2 All staff tutorial Nov.28, 2001 OKI, JA-SIG and Grids OKI major open learning management system being developed by MIT, Stanford, and North Carolina State, funded by the Mellon Foundation; reference architecture and open source implementation http://web.mit.edu/oki/intro.html JA-SIG uPortal is a major portal architecture and implementation being developed by a number of schools with funding from the Mellon Foundation; also hopes to share administrative Java applets http://www.ja-sig.org/ and http://mis105.mis.udel.edu/ja-sig/uportal/index.html GRIDS Center expanding use of Grids will reach to many campuses integration efforts underway http://www.globus.org and http://www.gridforum.org

40 Internet2 All staff tutorial Nov.28, 2001 NSF Middleware Initiative (NMI) NSF award for integrators to –Internet2, EDUCAUSE, and SURA –The GRIDs Center (NCSA, UCSD, University of Chicago, USC/ ISI, and University of Wisconsin) Build on the successes of the Internet2/MACE initiative and the Globus Project Three year cooperative agreement effective 9/1/01 To develop and deploy a national middleware infrastructure for science, research and higher education Separate awards to academic pure research components

41 Internet2 All staff tutorial Nov.28, 2001 The Grid a model for a distributed computing environment, addressing diverse computational resources, distributed databases, network bandwidth, object brokering, security, etc. Globus (www.globus.org) is the software that implements most of these components; Legion is another such software environment Needs to integrate with campus infrastructure Gridforum (www.gridforum.org) umbrella activity of agencies and academics Look for grids to occur locally and nationally, in physics, earthquake engineering, etc.

42 Internet2 All staff tutorial Nov.28, 2001 NMI: The Problem to Solve To allow scientists and engineers the ability to transparently use and share distributed resources, such as computers, data, and instruments To develop effective collaboration and communications tools such as Grid technologies, desktop video, and other advanced services to expedite research and education To develop a working architecture and approach which can be extended to Internet users around the world Middleware is the stuff that makes “transparently use” happen, providing consistency, security, privacy and capability

43 Internet2 All staff tutorial Nov.28, 2001 NMI Work products –Community standards –Best practices –Schema and object classes –Reference implementations –Open source services –Corporate relations Work areas –Identifiers –Directories –Authentication –Authorization –GRIDs –PKI –Video

44 Internet2 All staff tutorial Nov.28, 2001 More information Early Harvest / Early Adopters: http://middleware.internet2.edu/earlyadopters/ Mace: middleware.internet2.edu LDAP Recipe: http://www.georgetown.edu/giia/internet2/ldap- recipe/ EduPerson: www.educause.edu/eduperson Directory of Directories: middleware.internet2.edu/dodhe Shibboleth: middleware.internet2.edu/shibboleth HEPKI-TAG: www.educause.edu/hepki HEPKI-PAG: www.educause.edu/hepkiwww.educause.edu/hepki Video: http://middleware.internet2.edu/video/

Download ppt "Internet2 Middleware Activities Progress. Internet2 All staff tutorial Nov.28, 2001 Acknowledgments MACE and the working groups NSF catalytic grant and."

Similar presentations

PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.

PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Welcome to CAMP Shibboleth Ken Klingenstein, Director, Internet2 Middleware Initiative.

Welcome to CAMP Shibboleth Ken Klingenstein, Director, Internet2 Middleware Initiative.
Welcome to CAMP! Ken Klingenstein, Director, Internet2 Middleware Initiative.

Welcome to CAMP! Ken Klingenstein, Director, Internet2 Middleware Initiative.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.

PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.
Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.

Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.

1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
The Rise of Collaborative Tools Ken Klingenstein Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder.

The Rise of Collaborative Tools Ken Klingenstein Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
EDUCAUSE PKI Working Group Where Are We and Where are We Going.

EDUCAUSE PKI Working Group Where Are We and Where are We Going.
3 September 2015 Federated R US. Agenda  Background on Internet2 Middleware and NSF Middleware Initiative  The body of work  Directories  Shibboleth.

3 September 2015 Federated R US. Agenda  Background on Internet2 Middleware and NSF Middleware Initiative  The body of work  Directories  Shibboleth.
Middleware Tutorial and Use Renee Woodten Frost Project Manager, Internet2 Middleware Initiative Internet2 Middleware Liaison, University of Michigan ARKNet.

Middleware Tutorial and Use Renee Woodten Frost Project Manager, Internet2 Middleware Initiative Internet2 Middleware Liaison, University of Michigan ARKNet.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
Middleware Planning and Deployment 201: Implementation Roadmap Keith Hazelton, University of Wisconsin/Internet2 Renee Woodten Frost, Internet2/University.

Middleware Planning and Deployment 201: Implementation Roadmap Keith Hazelton, University of Wisconsin/Internet2 Renee Woodten Frost, Internet2/University.

Similar presentations

Ads by Google