Download presentation
Presentation is loading. Please wait.
Published byOswin Carroll Modified over 9 years ago
1
www.egi.eu EGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 User Support in IGI: Related Tools and Services in Italy EGI Technical Forum 2011 19-23 September 2011, Lyon Conference Centre, France Giuseppe LA ROCCA (giuseppe.larocca@ct.infn.it) INFN – Sez. di Catania, Italygiuseppe.larocca@ct.infn.it
2
www.egi.eu EGI-InSPIRE RI-261323 Outline Introduction to the RESTful “lightweight” crypto library API: – The Architecture; – SW/HW Requirements; – Success stories. Investigation of new solutions for the design of a general purpose Grid portal for scientific applications. GriF: a collaborative tool for grid empowered computational applications.
3
www.egi.eu EGI-InSPIRE RI-261323 Introduction to the RESTful “lightweight” crypto library API: – The Architecture; – Software Requirements: Java™ PKCS#11, Bouncy Castle and Java CoG Kits; JAX-RS 1.2 Java APIs using Jersey implementation; VOMS-API v.3.0; Apache Tomcat 6.0.32 as a Web Container; – Success Stories: The DECIDE, ViralGrid and EUMEDGrid-Support use cases.
4
www.egi.eu EGI-InSPIRE RI-261323 REST (Representational State Transfer) is nowadays a de facto standard to access distributed resources in a web-affine manner. Why a RESTful “lightweight” crypto library ? Every resources is uniquely represented by a global ID’s; – Eg.: https://infn-lb-01.ct.pi2s2.it:9000/cANG8Wt2C8PYcL6h8YiLRghttps://infn-lb-01.ct.pi2s2.it:9000/cANG8Wt2C8PYcL6h8YiLRg The JAX-RS (Java API for RESTful Web Services) specification presented in JSR 311 defines a standard way to deploy RESTful web services;JAX-RS Jersey is the open source JAX-RS (JSR 311) Reference Implementation for building RESTful Web services. Jersey
5
www.egi.eu EGI-InSPIRE RI-261323 Additional SW/HW Requirements … The Cryptographic Token Interface Standard (PKCS#11) is a standard introduced by RSA Data Security Inc;Cryptographic Token Interface Standard (PKCS#11)RSA Data Security Inc – It defines native programming interfaces to access cryptographic tokens, (hardware cryptographic accelerators, smart cards, … ); The Bouncy Castle APIs provide support for creating two kinds of X.509 certificates (ver.1 and ver.3);Bouncy Castle CoG Kits allow users to provide Globus Toolkit functionality within their code without calling scripts, or in some cases without having Globus installed; CoG Kits VOMS-Admin library (ver. 3.0), developed in the context of the DILIGENT and D4Science projects, were used for interacting the VOMS server and retrieve the list of groups/roles per VO; VOMS-AdminDILIGENT D4Science eToken PRO smart cards (32/64KB) with the pki-client software (ver. 4.55-34).
6
www.egi.eu EGI-InSPIRE RI-261323 Users Client Applications Grid Portals / Science Gateways The 4-tier architecture of the “lightweight” crypto library
7
www.egi.eu EGI-InSPIRE RI-261323 Deployed on Tomcat Application Server (ver. 6.0.32); Based on PKCS#11 standard; Thread-safe access to the list of smart cards; SSL encryption using a trusted host certificate; Caching of proxy certificates for each valid requestID = serial + vo + fqan – If lifetime (requestID) – threshold > 0 the proxy cached will be sent to the Science Gateways – Evaluated performance of the server using Apache Jmeter: ~ 6-8 s waiting time for a new proxy; 20 ms for a cached proxy. Main Features
8
www.egi.eu EGI-InSPIRE RI-261323 eTokenServer MyProxy Server ask for VOMS AC attributes and groups/roles VOMS Server store long proxy The working scenario (*) SSL encryption get results ask for a service list/create request execute service get results retrieve serials/proxy (*)
9
www.egi.eu EGI-InSPIRE RI-261323 Some examples of usage (1/3) Printing results in JSON format Listing the X.509 certificates installed on the eTokenServer.
10
www.egi.eu EGI-InSPIRE RI-261323 Generating a VOMS proxy from a given robot certificate: Using VOMS-Admin library to update the list of groups/roles Some examples of usage (2/3)
11
www.egi.eu EGI-InSPIRE RI-261323 Success Stories The new crypto library is currently used by: – The DECIDE Science Gateway (See the DECIDE demonstration at EGI-UF 2011 here);here (Abstract [47] – “The DECIDE project Science Gateway”, on Sept. 20 th, 14:00 – 14:15, Rhone 3) – The ViralGrid Science Gateway ( web );web – The EUMEDGRID-Support Service Challenge ( web ) and Science Gatewayweb (Abstract[57] – “The EUMEDGRID-Support User Forum”, on Sept. 23 rd, 09:00 – 12:30, Rhone 2)
12
www.egi.eu EGI-InSPIRE RI-261323 Investigation of new solutions for the design of a general purpose Grid portal for scientific applications.
13
www.egi.eu EGI-InSPIRE RI-261323 IGI (Italian Grid Initiative) is developing a web portal to ease the access to grid and cloud services; The main goal is to hide the “complexity” of X.509 certificates (request and management); IGTF policies and guidelines have been taken into account when designing the framework. Overview
14
www.egi.eu EGI-InSPIRE RI-261323 Two different scenarios We distinguish between users with or without a X.509 certificate. – User with certificate: upload it; – User without certificate: portal asks for a certificate to a CA-online on behalf of the user.
15
www.egi.eu EGI-InSPIRE RI-261323 The portal, using SAML Delegation mechanism, asks for a Member Integrated Credential Services (MICS) certificate to a CA online on behalf of the user; Member Integrated Credential Services Why MICS? – The certificate management is easier and more transparent for the user; – Avoid failure for jobs that have been submitted close to the Short Lived Certificates (SLCs) expiration date. Our Proposal
16
www.egi.eu EGI-InSPIRE RI-261323 During the first login, the user has to set his/her personal settings: – Select the Identity Federation; – Personal Information (FirstName, LastName, Institution, …); – Upload a new certificate (if any); If not, a CA-online certificate will be contacted. – Add a VO membership; Configuration – Request a new VO membership; – Specify for each VO a FQAN.
17
www.egi.eu EGI-InSPIRE RI-261323 Strong user identification by means of an IdP belonging to an accredited identity federation (i.e. IDEM federation); – If a user is not registered in accredited identity federation he/she can’t access the grid and cloud services through the portal. The portal redirects user to his/her IdP login page; Once the proper IdP has authenticated the user he/she will be automatically logged into the portal; Authentication (1/2)
18
www.egi.eu EGI-InSPIRE RI-261323 Authentication (2/2) The VOMS Server is contacted to sign the proxy with the right VOMS extensions. The portal asks for a passphrase to retrieve the proxy from the MyProxy Server;
19
www.egi.eu EGI-InSPIRE RI-261323 For Job Submission and Data Management tasks, the portal uses WS-PGrade (MTA-SZTAKI); – Other solutions are under investigation: e.g.: JSAGA (IN2P3); For Cloud resource provisioning the portal is interfaced with WNoDES (INFN-CNAF); The accounting portlet provides information for both environment. 4. Grid & Cloud Access
20
www.egi.eu EGI-InSPIRE RI-261323 The Portal Schema as a whole
21
www.egi.eu EGI-InSPIRE RI-261323 GriF: a collaborative tool for grid empowered computational applications.
22
www.egi.eu EGI-InSPIRE RI-261323 What is GriF ? – GriF is a SOA Grid Framework aimed at running on the EGI Grid multi-purpose scientific applications; – Easy submission over the Grid; – Optimized distributions of tasks; – Java based framework; – Support single and multiple job submission; – For further information visit the linklink
23
www.egi.eu EGI-InSPIRE RI-261323 Tools for an E-science environment: Efficient Grid submission
24
www.egi.eu EGI-InSPIRE RI-261323 GCreS: a credit system to reward member activities – Use Grid sensors to evaluate services provided; – Use Grid sensors to evaluate user activities; – Introduce a metric in the VO; – Implement a credit system and cost of services.
25
www.egi.eu EGI-InSPIRE RI-261323 Thank you!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.