Presentation is loading. Please wait.

Presentation is loading. Please wait.

Interoperable Portal Services Marlon Pierce Community Grids Lab Indiana University.

Published byAda Anderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Interoperable Portal Services Marlon Pierce Community Grids Lab Indiana University."— Presentation transcript:

1 Interoperable Portal Services Marlon Pierce Community Grids Lab Indiana University

2 Project: ET011 Goals of the project are to demonstrate interoperability between Portal/PSE projects –Mary Thomas (PI), TACC: HotPage –Tomasz Haupt, MSU: DMEFS –Marlon Pierce, IU: Gateway We are building interoperability at two levels: –Web services provide standard interfaces –Portlets provide component-based interfaces

3 Portal Security We are building off Gateway’s approach for Web-based security for DOD portals. –Approved for ARL and ASC Users kinit to a web server to get a ticket. –SSL, MD’d sessions, Certificates maintain secure connection. –Web server typically located in “DMZ” Web server manages session IDs, invokes backend requests with Kerberos client utilities. Browser Web Server HPC DMZ HTTPS krcp, krsh

4 Portlets and Containers One of the problems of previous portal development is that there is no good way to share interface components. –How do developers share web interfaces? Also, how can we avoid constantly reinventing things like login services, customization services, page organization, access controls. Answer: use portlets and containers. –Becoming a recognized best practice for portal development because it enables distributed portal development. –OKC, Alliance Portal, HotPage, QuakeSim, NEESGrid, CHEF, GridLab, many others have adopted approach.

5 What Is a Portlet? A portlet is a piece of Java code that runs in a Web server inside a container servlet. Portlets can do two things: –Perform non-visual operations such as make connections to remote hosts, perform operations. Example: get a list of local files. –Create their display The portlet passes its display to its parent, which is responsible for constructing the entire display. –Typically this is HTML, with tables uses to organize component displays. –Other displays are possible (VoiceXML, WML).

6 Portlet Development Portlets may be either abstract types or instances. –Abstract types allow extensibility In support of this project, we have developed abstract portlets that can –Maintain session state and manage multiple cookies. –Make secure connections –Pass form parameters –Retain navigation of legacy JSP pages.

7 Portlet RSS HTMLJSPWebPage Portlet Local Portlets Data PortletController Screen Manager HTML PSML PortletControl ECS VM template ECS ECS Root to HTML ECS Turbine Servlet

8

9

10

11 Portal Services We have several services that we are portletizing as part of this project: –Job submission –File Transfer –Job Monitoring We are developing DOD versions of TACC’s GPIR services We are extending Jetspeed login to support web kiniting (with SecurID).

12 Job Submission Primarily based at ARL –Support Fluent, ANSYS, ABAQUS –Services construct GRD scripts, allow users to run and archive jobs. We are extending this to support ANSYS at ASC, DMEFS codes at ARL. We need to extend script generators for other queuing systems. –PBS, LoadLeveler, LSF

13

14

15

16 File Management File management services allow you to –Upload, download files between desktop and remote HPC –Download entire directories as zipped files. –Delete remote files. –Navigate remote directories. –Unzip/untar remotely. Targetting ASC and ARL initially –ARL is available in production

17

18 Job Monitoring We have web interfaces that will allow to monitor your jobs on various hosts. –Constructs an HTML table of your running jobs in a unified format. –Allows you to stop jobs We support GRD in production portal at ARL. Have ported this to PBS, LSF, and LoadLeveler as part of this project.

19 Access to Portlets Obviously not all users have accounts at all centers. –An ASC file browser should be accessible only to users with an ASC account. Jetspeed has role based accessed control to portlets. Each user can be assigned to one or more user roles (“ERDC”, “ASC”, etc). This controls which portlets a user can add to his or her display.

20 GridPort Information Repository (GPIR) Developed by TACC group for NPACI resources. Porting this to DOD. Aim is to aggregate and cache grid and portal related data from multiple sources in a uniform way. –MDS, NWS, custom data providers

21 GPIR Approach GPIR is implemented as a set of Java Web Services, one to handle the input of GPIR data (Ingester WS) and another to facilitate the querying of that data (Query WS) The Ingester WS accepts or "ingests" several types of XML documents and stores them in a relational database (currently MySQL, Postgres). – These documents are created by a variety of means, including Java Clients that exist on the resources themselves, http "web scraping" of machine-specific flat-file formats, and queries of additional information providers such and MDS, GMS (Grid Monitor Service), and NWS (Network Weather Service). Persistently stored data can then be queried via the Query Web Service which uses the same XML resources used by the Ingester, in addition to some Query specific documents that can return XML such as Machine Summary data.

22

23 GPIR Schema Types Static: static data for a machine. Load: load data for a machine. Status: machine status (up, down, unavailable). Downtime: downtime data for a machine. Jobs: job data for a machine. MOTD: Message of the Day data for a machine. Nodes: Nodes data for a machine. Services: represents the status of grid software running on a system. NWS: This returns bandwidth and latency measurements of the type returned by NWS.

24 More Information Contact: marpierc@indiana.edumarpierc@indiana.edu GPIR: http://www.tacc.utexas.edu/grid/gpir/http://www.tacc.utexas.edu/grid/gpir/ Gateway: http://www.gatewayportal.org.http://www.gatewayportal.org DMEFS: http://www.erc.msstate.edu/~haupt/DMEFS / http://www.erc.msstate.edu/~haupt/DMEFS /

25 Secure Web services Choonhan Youn, Marlon Pierce and Geoffrey Fox EECS, Syracuse University and Community Grids Lab, IU

26 Security Requirements for Web Services Need mutual authentication between clients and User Interface server –Clients are browsers: understand SSL but not Kerberos.  tunnel http requests through a secure CORBA connection.  provide a browser interface that will create a Kerberos TGT on the server for the user. Need secure SOAP messages between user interface server and the repository and the service provider. Examples of problems if you have no security? Web Browser User Interface Server Service Repository Service Provider Security ? SOAP

27 Security Problems with Web Services How can I support single sign on? How do I authenticate the sender of the SOAP message? How do I control access to resources? How do I verify the message has arrived unaltered? How do I keep the contents of the message secret? How can I do this in a transparent way with a number of different mechanisms (Kerberos, PKI, GSI)? How do I find out all the above attributes for a particular SOAP message?

28 Integration of Security into Web Services Authentication through single sign-on. –Kerberos, PKI –Distributed ticket system –Getting assertions about authentication, authorization, user attribute SOAP security should be provided through standard interfaces to specific mechanisms. General methods are –Message signing. –Message integrity. –Message encryption. Kerberos, PKI are specific mechanisms. Assertion is an XML document describing the information about authentication acts performed by subjects, attributes of subjects and authorization decisions, Created with a specific mechanism. Users Security Mechanism Web Service …… Assertions Signing Encryption Authenticate Generating Assertions Assertions SOAP …… HTTP

29 Security Assertions SAML is a standard security assertion markup language. SAML assertions can be added to SOAP messages. Assertions contain –Authentication info –Attributes –Authorization Decisions HTTP SOAP Envelop SOAP Body SOAP Message SOAP Header SAML Assertion

30 The client-side process Convert SAML schema to Java classes –Castor can be used to easily convert between XML and Java data objects. Develop utility classes for creating assertions, marshalling them back and forth between Java and SAML. –Assertion attributes filled in by the appropriate mechanism. Login process: the authentication and getting the Kerberos ticket. Establish the security context with the server for getting the shared key. Generate user’s SAML security assertion. Sign the user assertion and SOAP Body messages. Rebuild the SOAP messages.

31 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> YIIIYwYJKoZIhvcSAQICAgEAAAAA//9a+0MDxeg14f8T5vf0o7jm9z4ml2Fj azlhwxyd/kZz8pgWbREMMZF2ELm9G+MFojzGKt0F6B91gBuJ1QL+QN5kM …………………………………………………………….. n8cdEhjskpcEYP2MvnRwxJmei9U5m3IToiHDI3foZ2TjhwPn Kerberos gateway@CG.INDIANA.EDU YIIBawYJKoZIhvcSAQICAgEAAAAA//9NPq5TRhFcyfMdAYFS1XHlBzI3JhN+c15 z0MncshbXb9zQ3Z8b6QkJHCmWZuVBXvyVSaDZ4GVgbwnicAJSGEj6OJVTxqQfH ……………………………………………………………… YFKg/LQJ0oleULSsP2k9HQY+MxD64IYaw9lSVOX9IHtc+uZyQ== The message structure of the SOAP request on the client-side.

32 <ns1:Assertion MajorVersion="1" MinorVersion="0" AssertionID="156.56.104.10.1054324468957" Issuer="Gateway Web Portal" IssueInstant="2003-05-30T14:54:28.957-05:00"> http://www.gatewayportal.org/agreement.xml <ns1:AuthenticationStatement AuthenticationMethod="urn:ietf:rfc:1510" AuthenticationInstant="2003-05-30T14:54:28.957-05:00"> <ns1:NameIdentifier SecurityDomain="www.gatewayportal.org" Name="gateway"/> urn:ietf:rfc:1510 A Kerberos Ticket <ns1:NameIdentifier SecurityDomain="www.gatewayportal.org" Name="gateway"/> urn:ietf:rfc:1510 A Kerberos Ticket 5 SAML example

33 The server-side process Establish the security context with client for getting the shared key. Handle the SOAP message. –Secure assertion message. –Secure body message. –Security mechanism name such as Kerberos, PKI. –Message format such as SAML, WS-security. Unwrap the secure assertion It checks the validity of the assertions. –Issuer name –“Conditions” time limit –Subject name –Authorization for accessing resources Unwrap SOAP body message Rebuild the SOAP message.

34 Internet (HTTP) cloud Client An assertion-based authentication service for Gateway Web Services

35 Multiple accesses in a distributed system Usually, User Interface Server in computing portals federates a bunch of Web service proxies for accessing distributed services. When we use the client-server interaction fashion shown in the previous picture, the client has each secure session object on each distributed service. we need more effective system for handling client’s secure session object. –separating a secure server session object from an SOAP server which is running a bunch of Web services. –It is possible to use the messaging or event system, so called the Narada event brokering system developed by Community-Grids Lab. at Indiana University. –NaradaBrokering provides JMS compliance which follows the well- known publish-subscribe model. –Using NaradaBrokering system which is a messaging middleware, clients can interact with distributed computing services securely.

36 Interactions of secure Web service in a distributed environment - 1 (2) (8) (4) (5) (6) (3) (7) (1) NaradaBrokering Server User Interface Server Web Browser SOAP server A SOAP server C Security Handler SOAP server B

37 Interactions of secure Web service in a distributed environment - 2 1)UIS establishes the security context with the “Security Handler” subscriber for getting the shared key. 2)UIS makes secure SOAP message and then invoke the desired one of distributed services. 3)The selected SOAP server (SOAP server A) extracts SOAP Header message and SOAP Body message, respectively from the secure SOAP message and then publishes them into the NaradaBrokering server. 4)Those messages are processed in “Security Handler” subscriber which establishes and maintains a security context with the client for getting the shared session key that will be used for unwrapping the secure messages. It also checks the validity of the user assertion. 5)“Security Handler” subscriber publishes the SOAP message with the decrypted SOAP Body message which is rebuilt in into the NaradaBrokering server if the test results for this user are valid. 6)The selected SOAP server takes the SOAP message through the NaradaBrokering server and then makes a process it. 7)UIS get the SOAP response message as the user’s service request. 8)UIS try to interact with another distributed service without authenticating again (Step 1), following with the above procedures.

38 Technical resources Modified Apache Axis 1.0: SOAP Engine Security assertion –SAML being standardized at OASIS is an XML-based security standard for exchanging authentication and authorization information. –SAML schema: draft-sstc-schema-assertion- 27.xsd Kerberos: Version 5, Release 1.2.2

Download ppt "Interoperable Portal Services Marlon Pierce Community Grids Lab Indiana University."

Similar presentations

How to Set Up a System for Teaching Files, Conferences, and Clinical Trials Medical Imaging Resource Center.

How to Set Up a System for Teaching Files, Conferences, and Clinical Trials Medical Imaging Resource Center.
LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (http://lead.ou.edu)

LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
Building Problem Solving Environments with Application Web Service Toolkits Choonhan Youn and Marlon Pierce Computer Science, Syracuse University And Community.

Building Problem Solving Environments with Application Web Service Toolkits Choonhan Youn and Marlon Pierce Computer Science, Syracuse University And Community.
Reusable Components for Grid Computing Portals Marlon Pierce Community Grids Lab Indiana University.

Reusable Components for Grid Computing Portals Marlon Pierce Community Grids Lab Indiana University.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
B.Sc. Multimedia ComputingMedia Technologies Database Technologies.

B.Sc. Multimedia ComputingMedia Technologies Database Technologies.
Grid Computing, B. Wilkinson, 20043a.1 WEB SERVICES Introduction.

Grid Computing, B. Wilkinson, 20043a.1 WEB SERVICES Introduction.
Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.

Systems Architecture, Fourth Edition1 Internet and Distributed Application Services Chapter 13.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
159.339 Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.

Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.

A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.
Application Web Service Toolkit Geoffrey Fox, Marlon Pierce, Ozgur Balsoy Indiana University July 24 2002.

Application Web Service Toolkit Geoffrey Fox, Marlon Pierce, Ozgur Balsoy Indiana University July
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

Similar presentations

Ads by Google