1. Grid security in NAREGI project July 19, 2006 National Institute of Informatics, Japan Shinichi Mineo APAN Grid-Middleware Workshop 2006

2. ● Publication of scientific results from academia Human Resource Development and strong organization NAREGI Middleware Virtual Organization For science CyberScience Infrastructure for Advanced Science (by NII) CyberScience Infrastructure for Advanced Science (by NII) To Innovate Academia and Industry UPKI ★ ★ ★ ★ ★ ★ ★ ☆ Super-sinet: a next generation network infrastructure supported by NII and 7 National Computer Centers CyberScience Infrastructure 北海道大学 東北大学 東京大学 ＮＩＩＮＩＩ 名古屋大学 京都大学 大阪大学 九州大学 （東京工業大学、早稲田大学、高 エネルギー加速器研究機構等） Scientific Repository Industry Liaison and Social Benefit Global Contribution

3. Super SINET provides 10 Gbps Backbone

4. Grid for enabling Collaborative Computing Researchers Experimental Devices Super Computer Data Base Server Experiments using special devices Analysis using Super Computers Search in Data Bases Researchers Overseas Lab B University A Domestic Lab C Super SINET Security is a key issue to be solved! A Virtual Organization To realize heterogeneous large scale computational environment To share Large and expensive devices and data bases

5. Computing Centers &VOs NII IMS KEK Univ. Centers Globus 4 / NAREGI - - WSRF + Services Core SuperSINET Grid-EnabledNano-Applications (WP6) Grid PSE (WP3) Grid Programming -Grid RPC -Grid MPI (WP2) GridVis(WP3) Grid VM (WP1) Packaging Distributed Information Service (WP1) Grid Workflow (WP3) Super Scheduler (WP1) -HighPerformance & Secure Grid Networking (WP5) Data Grid (WP4) NAREGI Software Stack (Beta ver. 2006)

6. Computing Resource GridVM Accounting CIM UR/RUS GridVM Resource Info. Reservation, Submission, Query, Control… Client Concrete JSDL Concrete JSDL Workflow Abstract JSDL Super Scheduler Information Service DAI Resource Query Reservation based Co-Allocation GridMPI WFT, PSE, GVS, GridRPC A Use Case : Job Submission with Reservation based Co-Allocation

7. Future issues Current Issues to be solved Developed NAREGI-CA to be deployed in UPKI Security Requirements in AAA Authentication –PKI based user authentication –Compatible with GSI standards –Trust federation between CA’s Authorization –VO management for Inter-organizational collaboration –Interoperable with other Grid projects Accounting –ID federation for authorization & traceability –With privacy protection!

8. Virtual Organization user 1 ( VO Manager ) service_c service_a Services and Users are exposed in a Virtual Organization Organization A service_c service_b service_a user 2 user 3 user 1 Contract A service_x service_y user p service_z service_x service_y user puser q user r Organization B Contract B PKI domain VO domain Virtual Organization and Security Domain Definition of VO on GGF ・ CAS (Community Authorization Service) ・ VOMS (Virtual Organization Membership Service) A virtual organization(VO) is a dynamic collection of resources and users unified by a common goal and potentially spanning multiple administrative domains.

9. User CA/RA VOMS Proxy Cert + VO User Cert CRL Grid Job Submission VOMS-type VO Management developed in EGEE DN,VO, Group, roll, capability GRAM MK-gridmapfile Gridmap file GACL LCAS EGEE Grid site DN > pseudo accounts Policy Decision Point X.509AC

10. User CA/RA VOMS GRAM Proxy Cert + VO User Cert CRL Grid Job Submission Managed by the Super Scheduler Account Mapping Gridmap file Policy file NAREGI Grid site VOMS-type VO Management adopted in NAREGI DN,VO info Grid VM Information Service Certificates handling is too hard for users Policy Decision & Enforcement Point Policy Information Point

11. Job Submission mechanism in NAREGI Middleware  version VOMS MyProxy VOMS Proxy Certificate VOMS Proxy Certificate User Management Server(UMS) User Management Server(UMS) VOMS Proxy Certificate VOMS Proxy Certificate User Certificate Private Key Client Environment Portal Services WFT PSE GVS VOMS Proxy Certificate VOMS Proxy Certificate SS client The Super Scheduler (SS) VOMS Proxy Certificate VOMS Proxy Certificate GridVM WF Credential Repository VOMS Proxy Certificate VOMS Proxy Certificate Users Integrated and easy handling of VOMS and MyProxy Log in Workflow (WF) WF Credential is a user proxy cert passed through to the SS with the delegation protocol delegation Grid Jobs delegation The SS receives WF and deploys Grid jobs

12. NAREGI’s Solution for VO and Job Management Adoption of VOMS for VO management –Using proxy certificates with VO attributes for the interoperability with EGEE –GridVM is used instead of LCAS/LCMAPS Integration of MyProxy and VOMS servers –with UMS (User Management Server) to realize one-stop service at the NAREGI Grid Portal –using gLite implemented at UMS to connect VOMS server Development of Workflow Credential Repository –User Proxy Certificates are used as Workflow Credential to realize GSI delegation between the NAREGI Grid Portal and the Super Scheduler just in the same way as MyProxy. –The Super Scheduler converts security protocols of job signature to GSI delegation.

13. Open Issues on VO Management Current Issues on VO management –VOMS platform gLite is running on GT2, while NAREGI middleware on GT4 –GridVM Interoperability of authorization policy with other Grid projects is to be realized. –Proxy certificate renewal Need to invent a new mechanism Future plan –Cooperation with GGF security area members to realize interoperability with each other. –A proposal of new VO management methodology and trial of reference implementation.

14. MyProxy User CA/RA Web Server VO Management Policy Enforcement Point Authentication &Authorization Service Proxy Cert of User User Cert SAML+XACML CRL Log in Grid Job Submission Policy Decision Point Policy Information Point OCSP/ XKMS LDAP AuthN&AuthZ Services in the future Super Scheduler GRAM (Grid VM)

15. Summary NAREGI at first has developed reliable authentication system, which will be deployed in UPKI project. VO management was the second target and VOMS has been adopted for interoperability with EGEE. NAERGI commits to OGSA and will contribute standardization of VO management in Grid community. ID management is still remaining an open issue. GridShib or Liberty Alliance may be considered.