Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.egi.eu EGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 User Support in IGI: Related Tools and Services in Italy EGI Technical Forum 2011 19-23.

Published byOswin Carroll Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.egi.eu EGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 User Support in IGI: Related Tools and Services in Italy EGI Technical Forum 2011 19-23."— Presentation transcript:

1 www.egi.eu EGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 User Support in IGI: Related Tools and Services in Italy EGI Technical Forum 2011 19-23 September 2011, Lyon Conference Centre, France Giuseppe LA ROCCA (giuseppe.larocca@ct.infn.it) INFN – Sez. di Catania, Italygiuseppe.larocca@ct.infn.it

2 www.egi.eu EGI-InSPIRE RI-261323 Outline Introduction to the RESTful “lightweight” crypto library API: – The Architecture; – SW/HW Requirements; – Success stories. Investigation of new solutions for the design of a general purpose Grid portal for scientific applications. GriF: a collaborative tool for grid empowered computational applications.

3 www.egi.eu EGI-InSPIRE RI-261323 Introduction to the RESTful “lightweight” crypto library API: – The Architecture; – Software Requirements: Java™ PKCS#11, Bouncy Castle and Java CoG Kits; JAX-RS 1.2 Java APIs using Jersey implementation; VOMS-API v.3.0; Apache Tomcat 6.0.32 as a Web Container; – Success Stories: The DECIDE, ViralGrid and EUMEDGrid-Support use cases.

4 www.egi.eu EGI-InSPIRE RI-261323 REST (Representational State Transfer) is nowadays a de facto standard to access distributed resources in a web-affine manner. Why a RESTful “lightweight” crypto library ? Every resources is uniquely represented by a global ID’s; – Eg.: https://infn-lb-01.ct.pi2s2.it:9000/cANG8Wt2C8PYcL6h8YiLRghttps://infn-lb-01.ct.pi2s2.it:9000/cANG8Wt2C8PYcL6h8YiLRg The JAX-RS (Java API for RESTful Web Services) specification presented in JSR 311 defines a standard way to deploy RESTful web services;JAX-RS Jersey is the open source JAX-RS (JSR 311) Reference Implementation for building RESTful Web services. Jersey

5 www.egi.eu EGI-InSPIRE RI-261323 Additional SW/HW Requirements … The Cryptographic Token Interface Standard (PKCS#11) is a standard introduced by RSA Data Security Inc;Cryptographic Token Interface Standard (PKCS#11)RSA Data Security Inc – It defines native programming interfaces to access cryptographic tokens, (hardware cryptographic accelerators, smart cards, … ); The Bouncy Castle APIs provide support for creating two kinds of X.509 certificates (ver.1 and ver.3);Bouncy Castle CoG Kits allow users to provide Globus Toolkit functionality within their code without calling scripts, or in some cases without having Globus installed; CoG Kits VOMS-Admin library (ver. 3.0), developed in the context of the DILIGENT and D4Science projects, were used for interacting the VOMS server and retrieve the list of groups/roles per VO; VOMS-AdminDILIGENT D4Science eToken PRO smart cards (32/64KB) with the pki-client software (ver. 4.55-34).

6 www.egi.eu EGI-InSPIRE RI-261323 Users Client Applications Grid Portals / Science Gateways The 4-tier architecture of the “lightweight” crypto library

7 www.egi.eu EGI-InSPIRE RI-261323 Deployed on Tomcat Application Server (ver. 6.0.32); Based on PKCS#11 standard; Thread-safe access to the list of smart cards; SSL encryption using a trusted host certificate; Caching of proxy certificates for each valid requestID = serial + vo + fqan – If lifetime (requestID) – threshold > 0 the proxy cached will be sent to the Science Gateways – Evaluated performance of the server using Apache Jmeter: ~ 6-8 s waiting time for a new proxy; 20 ms for a cached proxy. Main Features

8 www.egi.eu EGI-InSPIRE RI-261323 eTokenServer MyProxy Server ask for VOMS AC attributes and groups/roles VOMS Server store long proxy The working scenario (*) SSL encryption get results ask for a service list/create request execute service get results retrieve serials/proxy (*)

9 www.egi.eu EGI-InSPIRE RI-261323 Some examples of usage (1/3) Printing results in JSON format Listing the X.509 certificates installed on the eTokenServer.

10 www.egi.eu EGI-InSPIRE RI-261323 Generating a VOMS proxy from a given robot certificate: Using VOMS-Admin library to update the list of groups/roles Some examples of usage (2/3)

11 www.egi.eu EGI-InSPIRE RI-261323 Success Stories The new crypto library is currently used by: – The DECIDE Science Gateway (See the DECIDE demonstration at EGI-UF 2011 here);here (Abstract [47] – “The DECIDE project Science Gateway”, on Sept. 20 th, 14:00 – 14:15, Rhone 3) – The ViralGrid Science Gateway ( web );web – The EUMEDGRID-Support Service Challenge ( web ) and Science Gatewayweb (Abstract[57] – “The EUMEDGRID-Support User Forum”, on Sept. 23 rd, 09:00 – 12:30, Rhone 2)

12 www.egi.eu EGI-InSPIRE RI-261323 Investigation of new solutions for the design of a general purpose Grid portal for scientific applications.

13 www.egi.eu EGI-InSPIRE RI-261323 IGI (Italian Grid Initiative) is developing a web portal to ease the access to grid and cloud services; The main goal is to hide the “complexity” of X.509 certificates (request and management); IGTF policies and guidelines have been taken into account when designing the framework. Overview

14 www.egi.eu EGI-InSPIRE RI-261323 Two different scenarios We distinguish between users with or without a X.509 certificate. – User with certificate: upload it; – User without certificate: portal asks for a certificate to a CA-online on behalf of the user.

15 www.egi.eu EGI-InSPIRE RI-261323 The portal, using SAML Delegation mechanism, asks for a Member Integrated Credential Services (MICS) certificate to a CA online on behalf of the user; Member Integrated Credential Services Why MICS? – The certificate management is easier and more transparent for the user; – Avoid failure for jobs that have been submitted close to the Short Lived Certificates (SLCs) expiration date. Our Proposal

16 www.egi.eu EGI-InSPIRE RI-261323 During the first login, the user has to set his/her personal settings: – Select the Identity Federation; – Personal Information (FirstName, LastName, Institution, …); – Upload a new certificate (if any); If not, a CA-online certificate will be contacted. – Add a VO membership; Configuration – Request a new VO membership; – Specify for each VO a FQAN.

17 www.egi.eu EGI-InSPIRE RI-261323 Strong user identification by means of an IdP belonging to an accredited identity federation (i.e. IDEM federation); – If a user is not registered in accredited identity federation he/she can’t access the grid and cloud services through the portal. The portal redirects user to his/her IdP login page; Once the proper IdP has authenticated the user he/she will be automatically logged into the portal; Authentication (1/2)

18 www.egi.eu EGI-InSPIRE RI-261323 Authentication (2/2) The VOMS Server is contacted to sign the proxy with the right VOMS extensions. The portal asks for a passphrase to retrieve the proxy from the MyProxy Server;

19 www.egi.eu EGI-InSPIRE RI-261323 For Job Submission and Data Management tasks, the portal uses WS-PGrade (MTA-SZTAKI); – Other solutions are under investigation: e.g.: JSAGA (IN2P3); For Cloud resource provisioning the portal is interfaced with WNoDES (INFN-CNAF); The accounting portlet provides information for both environment. 4. Grid & Cloud Access

20 www.egi.eu EGI-InSPIRE RI-261323 The Portal Schema as a whole

21 www.egi.eu EGI-InSPIRE RI-261323 GriF: a collaborative tool for grid empowered computational applications.

22 www.egi.eu EGI-InSPIRE RI-261323 What is GriF ? – GriF is a SOA Grid Framework aimed at running on the EGI Grid multi-purpose scientific applications; – Easy submission over the Grid; – Optimized distributions of tasks; – Java based framework; – Support single and multiple job submission; – For further information visit the linklink

23 www.egi.eu EGI-InSPIRE RI-261323 Tools for an E-science environment: Efficient Grid submission

24 www.egi.eu EGI-InSPIRE RI-261323 GCreS: a credit system to reward member activities – Use Grid sensors to evaluate services provided; – Use Grid sensors to evaluate user activities; – Introduce a metric in the VO; – Implement a credit system and cost of services.

25 www.egi.eu EGI-InSPIRE RI-261323 Thank you!

Download ppt "Www.egi.eu EGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 User Support in IGI: Related Tools and Services in Italy EGI Technical Forum 2011 19-23."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Introduction on Science Gateway Understanding access and functionalities Catania, 09/06/2014Riccardo Rotondo

Introduction on Science Gateway Understanding access and functionalities Catania, 09/06/2014Riccardo Rotondo
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu 05-02-2013.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo

Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Riccardo Bruno INFN.CT Sevilla, 10-14 Sep 2007 The GENIUS Grid portal.

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo
CGW 2003 Institute of Computer Science AGH Proposal of Adaptation of Legacy C/C++ Software to Grid Services Bartosz Baliś, Marian Bubak, Michał Węgiel,

CGW 2003 Institute of Computer Science AGH Proposal of Adaptation of Legacy C/C++ Software to Grid Services Bartosz Baliś, Marian Bubak, Michał Węgiel,
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Www.egi.eu EGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.

EGI-InSPIRE RI EGI-InSPIRE RI EGI-InSPIRE EGI services for the long tail of science Peter Solagna Senior Operations.
Towards a Javascript CoG Kit Gregor von Laszewski Fugang Wang Marlon Pierce Gerald Guo

Towards a Javascript CoG Kit Gregor von Laszewski Fugang Wang Marlon Pierce Gerald Guo
1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.

1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.
23:48:11Service Oriented Cyberinfrastructure Lab, Grid Portals Fugang Wang April 29

23:48:11Service Oriented Cyberinfrastructure Lab, Grid Portals Fugang Wang April 29

Similar presentations

Ads by Google