Скачать презентацию User Support in IGI Related Tools and Services Скачать презентацию User Support in IGI Related Tools and Services

831c97fc7e8151d80f8cfbf86b4a1d6b.ppt

  • Количество слайдов: 23

User Support in IGI: Related Tools and Services in Italy Giuseppe LA ROCCA (giuseppe. User Support in IGI: Related Tools and Services in Italy Giuseppe LA ROCCA (giuseppe. larocca@ct. infn. it) INFN – Sez. di Catania, Italy EGI Technical Forum 2011 19 -23 September 2011, Lyon Conference Centre, France EGI-In. SPIRE RI-261323 www. egi. eu

Outline • Introduction to the RESTful “lightweight” crypto library API: – The Architecture; – Outline • Introduction to the RESTful “lightweight” crypto library API: – The Architecture; – SW/HW Requirements; – Success stories. • Investigation of new solutions for the design of a general purpose Grid portal for scientific applications. • Gri. F: a collaborative tool for grid empowered computational applications. EGI-In. SPIRE RI-261323 www. egi. eu

 • Introduction to the RESTful “lightweight” crypto library API: – The Architecture; – • Introduction to the RESTful “lightweight” crypto library API: – The Architecture; – Software Requirements: • Java™ PKCS#11, Bouncy Castle and Java Co. G Kits; • JAX-RS 1. 2 Java APIs using Jersey implementation; • VOMS-API v. 3. 0; • Apache Tomcat 6. 0. 32 as a Web Container; – Success Stories: • The DECIDE, Viral. Grid and EUMEDGrid-Support use cases. EGI-In. SPIRE RI-261323 www. egi. eu

Why a RESTful “lightweight” crypto library ? • REST (Representational State Transfer) is nowadays Why a RESTful “lightweight” crypto library ? • REST (Representational State Transfer) is nowadays a de facto standard to access distributed resources in a web-affine manner. • Every resources is uniquely represented by a global ID’s; – Eg. : https: //infn-lb-01. ct. pi 2 s 2. it: 9000/c. ANG 8 Wt 2 C 8 PYc. L 6 h 8 Yi. LRg • The JAX-RS (Java API for RESTful Web Services) specification presented in JSR 311 defines a standard way to deploy RESTful web services; • Jersey is the open source JAX-RS (JSR 311) Reference Implementation for building RESTful Web services. EGI-In. SPIRE RI-261323 www. egi. eu

Additional SW/HW Requirements … • The Cryptographic Token Interface Standard (PKCS#11) is a standard Additional SW/HW Requirements … • The Cryptographic Token Interface Standard (PKCS#11) is a standard introduced by RSA Data Security Inc; – It defines native programming interfaces to access cryptographic tokens, (hardware cryptographic accelerators, smart cards, … ); • The Bouncy Castle APIs provide support for creating two kinds of X. 509 certificates (ver. 1 and ver. 3); • Co. G Kits allow users to provide Globus Toolkit functionality within their code without calling scripts, or in some cases without having Globus installed; • VOMS-Admin library (ver. 3. 0), developed in the context of the DILIGENT and D 4 Science projects, were used for interacting the VOMS server and retrieve the list of groups/roles per VO; • e. Token PRO smart cards (32/64 KB) with the pki-client software (ver. 4. 55 -34). EGI-In. SPIRE RI-261323 www. egi. eu

The 4 -tier architecture of the “lightweight” crypto library Users EGI-In. SPIRE RI-261323 Client The 4 -tier architecture of the “lightweight” crypto library Users EGI-In. SPIRE RI-261323 Client Applications Grid Portals / Science Gateways www. egi. eu

Main Features • • • Deployed on Tomcat Application Server (ver. 6. 0. 32); Main Features • • • Deployed on Tomcat Application Server (ver. 6. 0. 32); Based on PKCS#11 standard; Thread-safe access to the list of smart cards; SSL encryption using a trusted host certificate; Caching of proxy certificates for each valid request. ID = serial + vo + fqan – If lifetime (request. ID) – threshold > 0 the proxy cached will be sent to the Science Gateways – Evaluated performance of the server using Apache Jmeter: • ~ 6 -8 s waiting time for a new proxy; • 20 ms for a cached proxy. EGI-In. SPIRE RI-261323 www. egi. eu

The working scenario (*) ask for a service list/create request e. Token. Server (*) The working scenario (*) ask for a service list/create request e. Token. Server (*) get results execute service retrieve serials/proxy get results ask for VOMS AC attributes and groups/roles VOMS Server EGI-In. SPIRE RI-261323 SSL encryption store long proxy My. Proxy Server www. egi. eu

Success Stories • The new crypto library is currently used by: – The DECIDE Success Stories • The new crypto library is currently used by: – The DECIDE Science Gateway (See the DECIDE demonstration at EGI-UF 2011 here); (Abstract [47] – “The DECIDE project Science Gateway”, on Sept. 20 th, 14: 00 – 14: 15, Rhone 3) – The Viral. Grid Science Gateway ( web ); – The EUMEDGRID-Support Service Challenge ( web ) and Science Gateway (Abstract[57] – “The EUMEDGRID-Support User Forum”, on Sept. 23 rd, 09: 00 – 12: 30, Rhone 2) EGI-In. SPIRE RI-261323 www. egi. eu

 • Investigation of new solutions for the design of a general purpose Grid • Investigation of new solutions for the design of a general purpose Grid portal for scientific applications. EGI-In. SPIRE RI-261323 www. egi. eu

Overview • IGI (Italian Grid Initiative) is developing a web portal to ease the Overview • IGI (Italian Grid Initiative) is developing a web portal to ease the access to grid and cloud services; • The main goal is to hide the “complexity” of X. 509 certificates (request and management); • IGTF policies and guidelines have been taken into account when designing the framework. EGI-In. SPIRE RI-261323 www. egi. eu

Two different scenarios • We distinguish between users with or without a X. 509 Two different scenarios • We distinguish between users with or without a X. 509 certificate. – User with certificate: upload it; – User without certificate: portal asks for a certificate to a CA-online on behalf of the user. EGI-In. SPIRE RI-261323 www. egi. eu

Our Proposal • The portal, using SAML Delegation mechanism, asks for a Member Integrated Our Proposal • The portal, using SAML Delegation mechanism, asks for a Member Integrated Credential Services (MICS) certificate to a CA online on behalf of the user; • Why MICS? – The certificate management is easier and more transparent for the user; – Avoid failure for jobs that have been submitted close to the Short Lived Certificates (SLCs) expiration date. EGI-In. SPIRE RI-261323 www. egi. eu

Configuration • During the first login, the user has to set his/her personal settings: Configuration • During the first login, the user has to set his/her personal settings: – Select the Identity Federation; – Personal Information (First. Name, Last. Name, Institution, …); – Upload a new certificate (if any); • If not, a CA-online certificate will be contacted. – Add a VO membership; – Request a new VO membership; – Specify for each VO a FQAN. EGI-In. SPIRE RI-261323 www. egi. eu

Authentication (1/2) • Strong user identification by means of an Id. P belonging to Authentication (1/2) • Strong user identification by means of an Id. P belonging to an accredited identity federation (i. e. IDEM federation); – If a user is not registered in accredited identity federation he/she can’t access the grid and cloud services through the portal. • The portal redirects user to his/her Id. P login page; • Once the proper Id. P has authenticated the user he/she will be automatically logged into the portal; EGI-In. SPIRE RI-261323 www. egi. eu

Authentication (2/2) • The portal asks for a passphrase to retrieve the proxy from Authentication (2/2) • The portal asks for a passphrase to retrieve the proxy from the My. Proxy Server; • The VOMS Server is contacted to sign the proxy with the right VOMS extensions. EGI-In. SPIRE RI-261323 www. egi. eu

4. Grid & Cloud Access • For Job Submission and Data Management tasks, the 4. Grid & Cloud Access • For Job Submission and Data Management tasks, the portal uses WS-PGrade (MTA-SZTAKI); – Other solutions are under investigation: • e. g. : JSAGA (IN 2 P 3); • For Cloud resource provisioning the portal is interfaced with WNo. DES (INFN-CNAF); • The accounting portlet provides information for both environment. EGI-In. SPIRE RI-261323 www. egi. eu

The Portal Schema as a whole EGI-In. SPIRE RI-261323 www. egi. eu The Portal Schema as a whole EGI-In. SPIRE RI-261323 www. egi. eu

 • Gri. F: a collaborative tool for grid empowered computational applications. EGI-In. SPIRE • Gri. F: a collaborative tool for grid empowered computational applications. EGI-In. SPIRE RI-261323 www. egi. eu

What is Gri. F ? – Gri. F is a SOA Grid Framework aimed What is Gri. F ? – Gri. F is a SOA Grid Framework aimed at running on the EGI Grid multi-purpose scientific applications; – Easy submission over the Grid; – Optimized distributions of tasks; – Java based framework; – Support single and multiple job submission; – For further information visit the link EGI-In. SPIRE RI-261323 www. egi. eu

Tools for an E-science environment: Efficient Grid submission EGI-In. SPIRE RI-261323 www. egi. eu Tools for an E-science environment: Efficient Grid submission EGI-In. SPIRE RI-261323 www. egi. eu

GCre. S: a credit system to reward member activities – Use Grid sensors to GCre. S: a credit system to reward member activities – Use Grid sensors to evaluate services provided; – Use Grid sensors to evaluate user activities; – Introduce a metric in the VO; – Implement a credit system and cost of services. EGI-In. SPIRE RI-261323 www. egi. eu

Thank you! EGI-In. SPIRE RI-261323 www. egi. eu Thank you! EGI-In. SPIRE RI-261323 www. egi. eu