300 likes | 457 Vues
NMI Testbed Activities at Virginia. SURA NMI Testbed Workshop October 1, 2004 Jim Jokl jaj@Virginia.EDU. UVa Participation in the NMI Testbed. Context for middleware @ UVa ~19,000 students (~5,000 graduate/professional) ~11,000 faculty and staff Consolidated central computing (ITC)
E N D
NMI Testbed Activitiesat Virginia SURA NMI Testbed Workshop October 1, 2004 Jim Jokl jaj@Virginia.EDU
UVa Participation in the NMI Testbed • Context for middleware @ UVa • ~19,000 students (~5,000 graduate/professional) • ~11,000 faculty and staff • Consolidated central computing (ITC) • Academic & administrative computing, network & telecom • A separate Hospital Computing group runs the systems that support patient care • NMI Testbed Project @ UVa • Marty Humphrey – Computer Science • Focus on the Grid components • Jim Jokl – ITC • Focus on the EDIT components
NMI Authentication & Authorization • Background • A few authoritative systems • Email, Unix, Active Directory, some certificates • Locally developed Apache module - UVaAuth • Enables authentication against reference systems • User developed applications OK since they do not collect the user name or password • But, no Web single sign on capability • Improving the situation leveraging some of the NMI components • PubCookie as a replacement for UVaAuth • Shibboleth for inter-institutional applications
Shibboleth at UVa • Goal: enable use of local UVa credentials to access remote resources with privacy protection • Initial installation & testing of our Shibboleth Origin against the Internet2 test target in February 2003 • Clean installation, only headaches were with case sensitivity on a certificate field and some tomcat configuration issues • Initial application: WebAssign for Physics department courses • First WebAssign group – April 2003 • Production: fall 2003, spring 2004, and now • Positive feedback from faculty, no real problems • Next application: JSTOR access • Had also done the DLF certificate model earlier with JSTOR • More library usage when some of this becomes mandatory and/or more pervasive • Shibboleth@UVa link
PubCookie at UVa • Motivation • Replace local UVaAuth WebSO Apache module with PubCookie • Obtain Web single sign on functionality • Main tasks • Integrated our authentication into Pubcookie source • Added RADIUS and SMB authentication • PubCookie code well designed and easy to work with • PubCookie-enable applications (link) • Applications • First application was going to be new student voting system • Didn’t fly due to branding issues on the login screen • Testing the IIS version now • Plan to work on many applications over the coming year • Web home directory interface, web mail, etc • Once we get enough applications converted, our portal will probably start to use the system
Directory Services • Goals • All of the usual ones: a central repository for people, groups, attributes for authorization decisions, white pages, etc • Helpful NMI components • LDAP Recipe • eduPerson • LDAP Analyzer • Upgrades completed • eduPerson • Our central systems already had all of the data needed • We do not use eduPersonEntitlement at this time • Added to UVaPerson • Cisco VPN schema for authorization • Provided mechanism for users to upload photos into the directory
University of Virginia PKI • Project Goal • Enable PKI support in a wide range of applications • Deploy two campus CAs to support two types of PKI-enabled applications • Standard Assurance CA • For better security on common applications • Improve ease of use on some applications • Identity proofing marginally stronger than used with simple passwords • High Assurance CA • For new applications requiring high security and 2-factor authentication • Strong identity validation before certificate is issued
UVa Standard Assurance CA • Focus: new applications & ease of use • NMI components used • PKI-Lite Policy/Practices framework (link) • PKI-Lite certificate profiles • Was designed to support many common applications over time • Web authentication • VPN authentication • S/MIME: signed and encrypted email • SSL server certificates • EAP-TLS for wireless access control • Grid authentication
Standard Assurance CA Applications • Cisco VPN services • UVa-Anywhere remote access VPN • Pair of Cisco 3030 VPN concentrators, configured as full tunnel • Default tunnel transport is now TCP on port 80 • Some early problems with some home router software, MTU • “More Secure” network VPN • Uses LDAP authorization to prevent student access • Other Applications • Web authentication (software download now, more later) • Globus toolkit • Perhaps Shibboleth & PubCookie in the future
EAP-TLS Wireless Authentication • User verifies the Radius server’s identity using PKI • The Radius server verifies the user’s identity using PKI • Association is allowed and dynamic session crypto keys are exchanged • Goal: an LDAP-based authorization step will be added soon User Access Point Radius Server LDAP AuthZ
Standard Assurance CA Applications: Wireless Authentication • Old wireless network • Access control via LEAP or MAC registration • Transitioned to new authentication this summer • Added an EAP-TLS VLAN, removed LEAP • This is the broadcast SSID • Main issue encountered • Old drivers for user’s wireless cards • Retaining a legacy MAC registration-only VLAN • Some devices do not support EAP-TLS • Will add EAP-TLS VLAN for access to “More Secure” network in the future • Some changes were made to the PKI-Lite certificate profile recommendations as a result of this work
UVa High Assurance CA • Focus • Applications requiring high security and 2-factor authentication • NMI component • Designed for Higher Education Campus Certificate Policy • Two-step Registration Authority (RA) Process • In-person photo identification check • User web form and dbase validation protects against a RA • User hardware token required • 2-factor authentication, strong private key protection • Enables easy mobility, provides idle timeout
UVa High Assurance CA Applications • Focus on applications needing higher assurance levels using 2-factor authentication • SSH authentication for sysadmins of critical systems (ERP system admins and DBAs) • ssh.com commercial server & VanDyke SecureCRT • VPN authentication for access to special purpose networks (ERP, HIPAA, etc) • Web authentication for network management delegation to department staff • Some internal apps: RA, VPN AuthZ mgmt, etc • Future • Windows 2000/XP authentication?? • Digital signatures and HEBCA applications??
Hospital Net VPN PKI 2-factor Authentication with LDAP Authorization Main Campus Network Oracle ERP IN VPN Concentrators Firewall OUT S1 S2 Firewall OUT IN S3 LDAP AuthZ Servers Sn
Campus Globus Integration • Enable the use of a single set of central campus credentials for Grid applications • Focus on intra-campus use • Enable different research groups to share more easily • NMI components • Globus toolkit • PKI-Lite components • The Globus toolkit uses PKI for authentication of users and resources • The PKI-Lite certificate profile works well with Globus • Intra-campus CA integration is complicated by the Globus interface • Campus CAs and OS-exported certificates are generally in PKCS-12 format • Globus expects raw PEM files for the certificate and the private key • However, no significant problems for intra-campus use • Our longer-term goal: • More use of Globus by campus researchers • Build a UVa Grid
Inter-campus Globus Integration • Goal: support the use of native campus PKI credentials in an inter-institutional Grid • Enable users to do all of their work using their local campus credentials • Inter-campus trust is more difficult • Hierarchical PKI CAs • PKI Bridge CA • Can we make Globus operate in a bridged PKI? • OpenSSL PKI in Globus is not bridge-aware • Project: scope intercampus Grid trust issues preparing to leverage Higher Education PKI efforts • EDUCAUSE Higher Education Bridge CA (HEBCA) • Internet2 US Higher Education Root CA (USHER)
Schematic of Grid TestbedPKI Integration Goal Testbed CA Testbed Bridge CA Campus F Grid User Certs Cross-cert pairs Campus E Grid A’s PKI B’s PKI C’s PKI Campus D Grid Campus A Grid Campus B Grid Campus C Grid
Inter-campus Testbed Globus Project Activity • Built Testbed Bridge CA • Off-line system • Used Linux and OpenSSL to build bridge • Stored securely when not is use • Cross-certifications • UVA • UAB • TACC • USC • We’ll know a lot more in a few weeks
Grid Computing • Context for Grid computing at UVa • Legion (1995 – 2002) • GGF • Steering Committee • Security Area Director • OGSA Sec co-director (with Raj Nagaratnam, IBM) • HPDC, SC Program Committees • NPACI • Other Grid efforts: DOE, DOD, NASA IPG • OGSI.NET • MyProxy (with Jim Basney, NCSA)
Focus for our involvement in Testbed • Help facilitate quality-control on NMI software • It’s incredibly difficult! (e.g., Legion) • Grids on campus • As research infrastructure • Grids in the classroom • How do we teach middleware to undergrads/grads? • Opportunistically use the NMI components in our existing Grid projects • E.g., does this give us the opportunity to explore some issues that we previously didn’t plan to?
Plan • Already using Globus/NWS/Condor-G in many research projects • Replace with NMI “productized versions” of Globus, Condor-G, NWS (“CHARMM portal”) • Investigate issues of integrating with Campus information infrastructure • PKI Integration • (Re-Visit) Issues of UVa CWVC • Develop course materials for Grids
Grid Applications for Scientists • Goal - easy access to grid resources for biologists performing protein folding • Biologists want • Access to distributed mass storage • Transparent remote execution • Security/authorization • Web-based job submission/steering tools • Solution: Generic grid tools with customized interfaces for scientific apps
r Rgyr CHARMM Molecular Dynamics Simulations (Protein Folding) 100-200 structures to sample (r,Rgyr ) space
Results / Lessons: Research Projects • Transition to NMI versions largely straightforward • Immediate upgrades not always necessary • Issues • NMI components are not entirely “out-of-the-box perfect” • NMI components, at this time, do not contain “full Grid picture”
Results / Lessons: Integration with Campus Information • Integrating Grids with UVa standard assurance CA • Technical integration straightforward • Still need to generate tool to ease cert/key installation • Create UVa Web page: “Installing NMI Grids at UVa” • Issues • Student privacy concerns not always consistent with Grid mechanisms • “Students of CS650 are allowed to execute jobs on grad11.cs.virginia.edu…” • Broader: mechanism alone will not “coerce” resource owners to share
Results / Lessons: Course Material for Grids • Grad CS Class (CS650, F2002 and F2003) briefly introduced Grids • In context of Web Services ( “Grid Services”) • Refining for future classes • E.g., cs551 Senior-level distributed systems class • Issues • Principles vs. “current fad” • Is the learning curve too steep?
Bottom Line • UVa sees NMI as opportunity to “take it to the next level” • General lessons on the use of NMI • Research projects: effective, but complex • Campus Grid: must want to share • In the classroom: principles vs. “current fad” • Very compelling progress in NMI program; more to come • UVA Campus Grid project starts today, 10/1/04!
Comments, questions? • Thanks to many people at UVa and the other testbed sites who worked with us on many of these projects