Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 1 1 How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST Oct. 28, 2009.

Published byHarold Patrick Modified over 8 years ago

Similar presentations

Presentation on theme: "1 1 1 How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST Oct. 28, 2009."— Presentation transcript:

1 1 1 http://www.geogrid.org/ www.geogrid.org 1 How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST Oct. 28, 2009 GEO Workshop / PRAGMA17 Hanoi

2 22 http://www.geogrid.org 2 What is Grid Security Who am I? / Who are they? Grid Security Infrastructure (GSI) What can I do? / What can they do? Virtual Organization Membership Service (VOMS)

3 33 http://www.geogrid.org 3 GEO Grid VO Design Identity

4 44 http://www.geogrid.org 4Requirements Credential Management: Non-secure users often manage their private keys for PKI / GSI credentials without careful planning. Authentication methods: Must accommodate existing, settled authentication methods, OpenID, Shibboleth, username and password, user credential, etc. Portal Development: Must accommodate existing application portals written by PHP, Perl, Python, Java Servlet, etc.

5 55 http://www.geogrid.org 5Tsukuba-GAMA Tsukuba-GAMA Authentication Flow for PKI / GSI User username and password VOMS Credential Repository My Proxy Repository Online CA VO Management Credential Management OpenID user credential VO Portal PHP, Perl, Python, etc... VOMS Proxy Certificate End Entity Certificate My Proxy CA VO attribute Language Free Portal Development: Must accommodate existing application portals written by PHP, Perl, Python, Java Servlet, etc. Provides Apache, Servlet, and GridSphere authentication modules, in order to support any language. Credential Management: Non-secure users often manage their private keys for PKI / GSI without careful planning. Manages user credentials on the server side, instead of leaving it to inexperienced users. Independencefrom Authentication methods: Must accommodate existing, settled authentication methods, OpenID, Shibboleth, username and password, user credential, etc. Generates Grid credentials from any method. Proxy Certificate OUR SOLUTION: TSUKUBA-GAMA

6 66 http://www.geogrid.org 6 User Management System Authentication types (c) External Authentication (c) External Authentication (b) Credential (a)GAMA style External Authentication service On-line CA (MyProxy CA) On-line CA (MyProxy CA) VO Management Server (VOMS) VO Management Server (VOMS) Web Portal User DB Credential Reposigtry Username and Password Globus User Certificate OpenID Shibboleth VOMS-enabled Proxy CertificateArchitecture

7 77 http://www.geogrid.org 7 http://www.geogrid.org/ DEMO 1: TSUKUBA-GAMA LOGIN PRAGMA VO PORTAL (GRIDSPHERE)

8 88 http://www.geogrid.org 8 Demo Environments - login Credential Repository PRAGMA VOMS PRAGMA VO portal http://gfm49.apgrid.org/gridsphere/ USER voms proxy cert 2. generategloubs proxy certificate 1. input username and pass of user cert 3. add voms attribute 4. register proxy cert

9 99 http://www.geogrid.org 9 Identity Attribute

10 10 http://www.geogrid.org 10 http://www.geogrid.org/ DEMO 2: TSUKUBA-GAMA LOGIN TESTVO PORTAL (GRIDSPHERE)

11 11 http://www.geogrid.org 11 Same Identity Different Attribute

12 12 http://www.geogrid.org 12 GEO Grid VO Design PRAGMA VO TEST VO I’m here

13 13 http://www.geogrid.org 13 GSI w/ VOMS PRAGMA VO Portal (GridSphere, Perl, PHP, Java etc.) PRAGMA VO Portal (GridSphere, Perl, PHP, Java etc.) TEST VO Portal Credential Repository (MyProxy Repository) Credential Repository (MyProxy Repository) Online-CA (MyProxy CA) Online-CA (MyProxy CA) PRAGMA-VO (VOMS) PRAGMA-VO (VOMS) GHZ-VO (VOMS) GHZ-VO (VOMS) Sign Certificate VO member management Share Account

14 14 http://www.geogrid.org 14 新システムの構成(3 VO による例) BIG User Portal (GridSphere, Perl, PHP, Java etc.) BIG User Portal (GridSphere, Perl, PHP, Java etc.) GHZ User Portal ECO User Portal 証明書置き場 (MyProxy Repository) 証明書置き場 (MyProxy Repository) オンライン - CA (MyProxy CA) オンライン - CA (MyProxy CA) BIG-VO (VOMS) BIG-VO (VOMS) ユーザ管理 Portal (GridSphere3) ユーザ管理 Portal (GridSphere3) GHZ-VO (VOMS) GHZ-VO (VOMS) ECO-VO (VOMS) ECO-VO (VOMS) アカウント管理 rekey (年1回) パスワード変更 が可能 証明書発行 VO メンバ管理 任意の言語での ウェブアプリケーション開発 が可能となる 複数ポータルか らの接続が可能 CA と証明書 置き場を分離 CA と証明書 置き場を分離 アカウント import が不要

15 15 http://www.geogrid.org 15 http://www.geogrid.org/ EXAMPLE SCENARIO: SATELLITE DATABASE FEDERATION

16 16 http://www.geogrid.org 16 OGSA-DAI Demo environment ASTER @Japan PALSAR @Japan MODIS @Japan Formosat2 @Taiwan /PRAGMA/Geo /TESTVO /GHZNONE (FREE)

17 17 http://www.geogrid.org 17 http://www.geogrid.org/ DEMO 3: SIMS SATELLITE DATABASE FEDERATION

18 18 http://www.geogrid.org 18 Database Server (Sybase) FORMOSAT-2 Application Server OGSA- DAI Globus SQL w/ JDBC NSPO@TW Database Server (PostgreSQL) ASTERMODIS OGSA- DAI SQL w/ JDBC OGSA- DAI Globus AIST@JP AIST OGSA-DAI Client Integration Framework with OGSA-DAI Java Program SQL SIMS portlet - query data - create web page which shows thumbnail images VOMS VOMSSIMS

19 19 http://www.geogrid.org 19 SIMS – Search Results MODIS FORMOSAT-2 ASTER

20 20 http://www.geogrid.org 20 http://www.geogrid.org/ DEMO 4: LANGUAGE FREE PORTAL DEVELOPMENT

21 21 http://www.geogrid.org 21 http://www.geogrid.org/ DEMO 4-1: PORTAL DEVELOPMENT (OPENLAYERS)

22 22 http://www.geogrid.org 22 https://portal/OGCProxy?\ URL=https://gridsite/..../service https://gridsite/..../service User Contents ACL: /testvo.geogrid.org/aster GridSite VOMS Proxy VO NameGroupOGCProxy OGCProxy is a broker portlet forwarding users' requests to backend OGC services. providing freely development environment of client application. OGCProxy

23 23 http://www.geogrid.org 23 ASTER + Formosat2 / OpenLayers ASTER / Japan Formosat2 / Taiwan

24 24 http://www.geogrid.org 24 http://www.geogrid.org/ DEMO 4-2: PORTAL DEVELOPMENT (PHP, PERL,...)

25 25 http://www.geogrid.org 25 Web Portal Development apache_ahtn_myproxy module PHP, Perl, Phython, etc. Servlet basic authentication module Java Servlet GridSphere authentication module

26 26 http://www.geogrid.org 26 http://www.geogrid.org/ DEMO 5: INDEPENDENCE FROM AUTHENTICATION METHODS

27 27 http://www.geogrid.org 27 http://www.geogrid.org/ DEMO 5-1: INDEPENDENCE FROM AUTHENTICATION METHODS: (OPENID)

28 28 http://www.geogrid.org 28 User Password for OpenID OpenID Server VO member DB VOMS server MyProxy CA - Account DB - Credential Repository Web Portal Request short-lived credential VOMS proxy OpenID URL OpenID authentication module

29 29 http://www.geogrid.org 29 http://www.geogrid.org/ DEMO 5-1: INDEPENDENCE FROM AUTHENTICATION METHODS: (CREDENTIAL)

30 30 http://www.geogrid.org 30 Credential Login Tsukuba-GAMA Authentication Flow for PKI / GSI User username and password VOMS Credential Repository My Proxy Repository Online CA VO Management Credential Management OpenID user credential VO Portal PHP, Perl, Python, etc... VOMS Proxy Certificate End Entity Certificate My Proxy CA VO attribute Language Free Portal Development: Must accommodate existing application portals written by PHP, Perl, Python, Java Servlet, etc. Provides Apache, Servlet, and GridSphere authentication modules, in order to support any language. Credential Management: Non-secure users often manage their private keys for PKI / GSI without careful planning. Manages user credentials on the server side, instead of leaving it to inexperienced users. Independencefrom Authentication methods: Must accommodate existing, settled authentication methods, OpenID, Shibboleth, username and password, user credential, etc. Generates Grid credentials from any method.

31 31 http://www.geogrid.org 31 Compare Identity Identity Same VO Credential Login OpenID Login

32 32 http://www.geogrid.org 32Conclusions Tsukuba-GAMA Authentication Flow for PKI / GSI User username and password VOMS Credential Repository My Proxy Repository Online CA VO Management Credential Management OpenID user credential VO Portal PHP, Perl, Python, etc... VOMS Proxy Certificate End Entity Certificate My Proxy CA VO attribute Language Free Portal Development: - GridSphere / Satellite database federation - Geographical portal / OpenLayers - PHP, Perl Credential Management: - User does not need to manage their credentials Independencefrom Authentication methods: - Username and Password - OpenID - Globus credential

33 33 http://www.geogrid.org 33 http://www.geogrid.org/ THANK YOU To be released NEXT month!

34 34 http://www.geogrid.org 34 http://www.geogrid.org/ DEMO 6: ACCOUNT CREATION

35 35 http://www.geogrid.org 35 Account Creation Account DB (GAMA) VO (VOMS) VO portal http://testvo.geogrid.org/gridsphere/ Account Portal http://testvo.geogrid.org:9443/gridsphere USER 1. Request an account Account Admin 2. Approve 3. Activate an account VO Admin 4. Register the user to the VO 4. Import the user’s account information to the VO

Download ppt "1 1 1 How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST Oct. 28, 2009."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
GEO WG updates Resource WG established the GEO group in PRAGMA VO GEO WG members easily make registration Registered members can access.

GEO WG updates Resource WG established the GEO group in PRAGMA VO GEO WG members easily make registration Registered members can access.
1 1 1 Satellite Database Federations on GEO Grid Portal Naotaka YAMAMOTO AIST Taiwan Mar. 12,

Satellite Database Federations on GEO Grid Portal Naotaka YAMAMOTO AIST Taiwan Mar. 12,
Demonstrations at PRAGMA 13 10 demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
Resource WG Summary Mason Katz, Yoshio Tanaka. Next generation resources on PRAGMA Status – Next generation resource (VM-based) in PRAGMA by UCSD (proof.

Resource WG Summary Mason Katz, Yoshio Tanaka. Next generation resources on PRAGMA Status – Next generation resource (VM-based) in PRAGMA by UCSD (proof.
Introduction of Grid Security

Introduction of Grid Security
PRAGMA BioSciences Portal Raj Chhabra Susumu Date Junya Seo Yohei Sawai.

PRAGMA BioSciences Portal Raj Chhabra Susumu Date Junya Seo Yohei Sawai.
GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,
ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.

ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Similar presentations

Ads by Google