1 / 30

NMI Testbed Activities at Virginia

NMI Testbed Activities at Virginia. SURA NMI Testbed Workshop October 1, 2004 Jim Jokl jaj@Virginia.EDU. UVa Participation in the NMI Testbed. Context for middleware @ UVa ~19,000 students (~5,000 graduate/professional) ~11,000 faculty and staff Consolidated central computing (ITC)

abbot-wilson
Download Presentation

NMI Testbed Activities at Virginia

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NMI Testbed Activitiesat Virginia SURA NMI Testbed Workshop October 1, 2004 Jim Jokl jaj@Virginia.EDU

  2. UVa Participation in the NMI Testbed • Context for middleware @ UVa • ~19,000 students (~5,000 graduate/professional) • ~11,000 faculty and staff • Consolidated central computing (ITC) • Academic & administrative computing, network & telecom • A separate Hospital Computing group runs the systems that support patient care • NMI Testbed Project @ UVa • Marty Humphrey – Computer Science • Focus on the Grid components • Jim Jokl – ITC • Focus on the EDIT components

  3. NMI Authentication & Authorization • Background • A few authoritative systems • Email, Unix, Active Directory, some certificates • Locally developed Apache module - UVaAuth • Enables authentication against reference systems • User developed applications OK since they do not collect the user name or password • But, no Web single sign on capability • Improving the situation leveraging some of the NMI components • PubCookie as a replacement for UVaAuth • Shibboleth for inter-institutional applications

  4. Shibboleth at UVa • Goal: enable use of local UVa credentials to access remote resources with privacy protection • Initial installation & testing of our Shibboleth Origin against the Internet2 test target in February 2003 • Clean installation, only headaches were with case sensitivity on a certificate field and some tomcat configuration issues • Initial application: WebAssign for Physics department courses • First WebAssign group – April 2003 • Production: fall 2003, spring 2004, and now • Positive feedback from faculty, no real problems • Next application: JSTOR access • Had also done the DLF certificate model earlier with JSTOR • More library usage when some of this becomes mandatory and/or more pervasive • Shibboleth@UVa link

  5. PubCookie at UVa • Motivation • Replace local UVaAuth WebSO Apache module with PubCookie • Obtain Web single sign on functionality • Main tasks • Integrated our authentication into Pubcookie source • Added RADIUS and SMB authentication • PubCookie code well designed and easy to work with • PubCookie-enable applications (link) • Applications • First application was going to be new student voting system • Didn’t fly due to branding issues on the login screen • Testing the IIS version now • Plan to work on many applications over the coming year • Web home directory interface, web mail, etc • Once we get enough applications converted, our portal will probably start to use the system

  6. UVa Directory System Schematic

  7. Directory Services • Goals • All of the usual ones: a central repository for people, groups, attributes for authorization decisions, white pages, etc • Helpful NMI components • LDAP Recipe • eduPerson • LDAP Analyzer • Upgrades completed • eduPerson • Our central systems already had all of the data needed • We do not use eduPersonEntitlement at this time • Added to UVaPerson • Cisco VPN schema for authorization • Provided mechanism for users to upload photos into the directory

  8. University of Virginia PKI • Project Goal • Enable PKI support in a wide range of applications • Deploy two campus CAs to support two types of PKI-enabled applications • Standard Assurance CA • For better security on common applications • Improve ease of use on some applications • Identity proofing marginally stronger than used with simple passwords • High Assurance CA • For new applications requiring high security and 2-factor authentication • Strong identity validation before certificate is issued

  9. UVa Standard Assurance CA • Focus: new applications & ease of use • NMI components used • PKI-Lite Policy/Practices framework (link) • PKI-Lite certificate profiles • Was designed to support many common applications over time • Web authentication • VPN authentication • S/MIME: signed and encrypted email • SSL server certificates • EAP-TLS for wireless access control • Grid authentication

  10. Standard Assurance CA Applications • Cisco VPN services • UVa-Anywhere remote access VPN • Pair of Cisco 3030 VPN concentrators, configured as full tunnel • Default tunnel transport is now TCP on port 80 • Some early problems with some home router software, MTU • “More Secure” network VPN • Uses LDAP authorization to prevent student access • Other Applications • Web authentication (software download now, more later) • Globus toolkit • Perhaps Shibboleth & PubCookie in the future

  11. EAP-TLS Wireless Authentication • User verifies the Radius server’s identity using PKI • The Radius server verifies the user’s identity using PKI • Association is allowed and dynamic session crypto keys are exchanged • Goal: an LDAP-based authorization step will be added soon User Access Point Radius Server LDAP AuthZ

  12. Standard Assurance CA Applications: Wireless Authentication • Old wireless network • Access control via LEAP or MAC registration • Transitioned to new authentication this summer • Added an EAP-TLS VLAN, removed LEAP • This is the broadcast SSID • Main issue encountered • Old drivers for user’s wireless cards • Retaining a legacy MAC registration-only VLAN • Some devices do not support EAP-TLS • Will add EAP-TLS VLAN for access to “More Secure” network in the future • Some changes were made to the PKI-Lite certificate profile recommendations as a result of this work

  13. UVa High Assurance CA • Focus • Applications requiring high security and 2-factor authentication • NMI component • Designed for Higher Education Campus Certificate Policy • Two-step Registration Authority (RA) Process • In-person photo identification check • User web form and dbase validation protects against a RA • User hardware token required • 2-factor authentication, strong private key protection • Enables easy mobility, provides idle timeout

  14. UVa High Assurance CA Applications • Focus on applications needing higher assurance levels using 2-factor authentication • SSH authentication for sysadmins of critical systems (ERP system admins and DBAs) • ssh.com commercial server & VanDyke SecureCRT • VPN authentication for access to special purpose networks (ERP, HIPAA, etc) • Web authentication for network management delegation to department staff • Some internal apps: RA, VPN AuthZ mgmt, etc • Future • Windows 2000/XP authentication?? • Digital signatures and HEBCA applications??

  15. Hospital Net VPN PKI 2-factor Authentication with LDAP Authorization Main Campus Network Oracle ERP IN VPN Concentrators Firewall OUT S1 S2 Firewall OUT IN S3 LDAP AuthZ Servers Sn

  16. Campus Globus Integration • Enable the use of a single set of central campus credentials for Grid applications • Focus on intra-campus use • Enable different research groups to share more easily • NMI components • Globus toolkit • PKI-Lite components • The Globus toolkit uses PKI for authentication of users and resources • The PKI-Lite certificate profile works well with Globus • Intra-campus CA integration is complicated by the Globus interface • Campus CAs and OS-exported certificates are generally in PKCS-12 format • Globus expects raw PEM files for the certificate and the private key • However, no significant problems for intra-campus use • Our longer-term goal: • More use of Globus by campus researchers • Build a UVa Grid

  17. Inter-campus Globus Integration • Goal: support the use of native campus PKI credentials in an inter-institutional Grid • Enable users to do all of their work using their local campus credentials • Inter-campus trust is more difficult • Hierarchical PKI CAs • PKI Bridge CA • Can we make Globus operate in a bridged PKI? • OpenSSL PKI in Globus is not bridge-aware • Project: scope intercampus Grid trust issues preparing to leverage Higher Education PKI efforts • EDUCAUSE Higher Education Bridge CA (HEBCA) • Internet2 US Higher Education Root CA (USHER)

  18. Schematic of Grid TestbedPKI Integration Goal Testbed CA Testbed Bridge CA Campus F Grid User Certs Cross-cert pairs Campus E Grid A’s PKI B’s PKI C’s PKI Campus D Grid Campus A Grid Campus B Grid Campus C Grid

  19. Inter-campus Testbed Globus Project Activity • Built Testbed Bridge CA • Off-line system • Used Linux and OpenSSL to build bridge • Stored securely when not is use • Cross-certifications • UVA • UAB • TACC • USC • We’ll know a lot more in a few weeks

  20. Grid Computing • Context for Grid computing at UVa • Legion (1995 – 2002) • GGF • Steering Committee • Security Area Director • OGSA Sec co-director (with Raj Nagaratnam, IBM) • HPDC, SC Program Committees • NPACI • Other Grid efforts: DOE, DOD, NASA IPG • OGSI.NET • MyProxy (with Jim Basney, NCSA)

  21. Focus for our involvement in Testbed • Help facilitate quality-control on NMI software • It’s incredibly difficult! (e.g., Legion) • Grids on campus • As research infrastructure • Grids in the classroom • How do we teach middleware to undergrads/grads? • Opportunistically use the NMI components in our existing Grid projects • E.g., does this give us the opportunity to explore some issues that we previously didn’t plan to?

  22. Plan • Already using Globus/NWS/Condor-G in many research projects • Replace with NMI “productized versions” of Globus, Condor-G, NWS (“CHARMM portal”) • Investigate issues of integrating with Campus information infrastructure • PKI Integration • (Re-Visit) Issues of UVa CWVC • Develop course materials for Grids

  23. Grid Applications for Scientists • Goal - easy access to grid resources for biologists performing protein folding • Biologists want • Access to distributed mass storage • Transparent remote execution • Security/authorization • Web-based job submission/steering tools • Solution: Generic grid tools with customized interfaces for scientific apps

  24. r Rgyr CHARMM Molecular Dynamics Simulations (Protein Folding) 100-200 structures to sample (r,Rgyr ) space

  25. NPACI BioPhysics Portal

  26. Results / Lessons: Research Projects • Transition to NMI versions largely straightforward • Immediate upgrades not always necessary • Issues • NMI components are not entirely “out-of-the-box perfect” • NMI components, at this time, do not contain “full Grid picture”

  27. Results / Lessons: Integration with Campus Information • Integrating Grids with UVa standard assurance CA • Technical integration straightforward • Still need to generate tool to ease cert/key installation • Create UVa Web page: “Installing NMI Grids at UVa” • Issues • Student privacy concerns not always consistent with Grid mechanisms • “Students of CS650 are allowed to execute jobs on grad11.cs.virginia.edu…” • Broader: mechanism alone will not “coerce” resource owners to share

  28. Results / Lessons: Course Material for Grids • Grad CS Class (CS650, F2002 and F2003) briefly introduced Grids • In context of Web Services ( “Grid Services”) • Refining for future classes • E.g., cs551 Senior-level distributed systems class • Issues • Principles vs. “current fad” • Is the learning curve too steep?

  29. Bottom Line • UVa sees NMI as opportunity to “take it to the next level” • General lessons on the use of NMI • Research projects: effective, but complex • Campus Grid: must want to share • In the classroom: principles vs. “current fad” • Very compelling progress in NMI program; more to come • UVA Campus Grid project starts today, 10/1/04!

  30. Comments, questions? • Thanks to many people at UVa and the other testbed sites who worked with us on many of these projects

More Related