Presentation is loading. Please wait.

Presentation is loading. Please wait.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Published byEvan Hines Modified over 8 years ago

Similar presentations

Presentation on theme: "Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008."— Presentation transcript:

1 Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008

2 Connect. Communicate. Collaborate Outline What is MDM perfSONAR? Which problem has been solved? The AAI of perfSONAR Conclusion and future work

3 Connect. Communicate. Collaborate What is MDM perfSONAR? perfSONAR (Performance focused Service Oriented Network Monitoring Architecture) system –Is a joint effort of EU-funded IST project GN2-JRA1, Internet2, ESnet and RNP –Open source development also for other interested networks –Name reflects the choice of Service Oriented Architecture –The solution is deployed and further elaborated in European Research Backbone GÉANT Connected European National Research and Education Networks Internet2’ s Abilene network ESnet (Energy Sciences network in US) RNP (Brazilian NREN)

4 Connect. Communicate. Collaborate What is MDM perfSONAR? Partners Connect. Communicate. Collaborate

5 What is MDM perfSONAR? Overview The project is divided in two parts –The web services architecture Java & Perl –Protocols Based on the Open Grid Forum Network Measurement Working Group Schemas It provides –Performance measurements in a multi-domain environment –Cross-domain monitoring capability

6 Connect. Communicate. Collaborate What is MDM perfSONAR? Framework Connect. Communicate. Collaborate

7 What is MDM perfSONAR? Services in perfSONAR MDM 3.0 Available services in perfSONAR MDM 3.0 –Lookup Service –Authentication Service –Measurement Archive Service RRD and SQL versions –Measurement Point SSH/Telnet BWCTL Command Line TC

8 Connect. Communicate. Collaborate What is MDM perfSONAR? Services in perfSONAR MDM 3.0 Web admin interface!

9 Connect. Communicate. Collaborate What is MDM perfSONAR? Services in perfSONAR MDM 3.0 Easy distribution –WAR files –RPM & DEB packages Also for Tomcat and eXist DB

10 Connect. Communicate. Collaborate Outline What is MDM perfSONAR? Which problem has been solved? The AAI of perfSONAR Conclusion and future work

11 Connect. Communicate. Collaborate Which problem has been solved? User groups using perfSONAR –NOC (Network Operations Center) / PERT (Performance Emergency Response Team) staff –Project members (e.g. EGEE project) –End users –Administrative/non-technical staff Users accessing perfSONAR services in a multi-domain environment

12 Connect. Communicate. Collaborate Which problem has been solved? PerfSONAR services have to be protected –Accepting messages only from allowed users/user groups –Providing them only the data they need to get The scenario we had found… –Different languages for web services –Different languages for visualization tools –Different AAIs in each domain –Not only the common web-based single sign-on solution

13 Connect. Communicate. Collaborate Outline What is MDM perfSONAR? Which problem has been solved? The AAI of perfSONAR Conclusion and future work

14 Connect. Communicate. Collaborate The AAI of perfSONAR MDM The Authentication and authorization Service (AS) –Developed as another perfSONAR service –It is used by other services for Checking whether the user is authenticated Checking whether the user is allowed to do an action in a service Checking user’s attributes http://wiki.perfsonar.net/jra1-wiki/index.php/Authentication_Service_resources

15 Connect. Communicate. Collaborate The AAI of perfSONAR MDM Connect. Communicate. Collaborate

16 The AAI of perfSONAR MDM What does eduGAIN offer perfSONAR? –An unified framework of digital identity URN registry service PKI service Neutral area of identity providers and messages –Shibboleth, PAPI, FEIDE, A-Select, … MetaData Service GÉANT Identity Provider (GIdP) for “homeless” Java-based libraries for interacting with eduGAIN components –Support for our problems! :-) What does NOT eduGAIN offer perfSONAR? –An Authentication and Authorization Service

17 Connect. Communicate. Collaborate The AAI of perfSONAR MDM: profiles Transmission of credentials –Clients send security tokens representing themselves –Web Service Security (WS-SEC) standard Different clients - different profiles –Automated Client (AC) profile: without human interaction Scripts –Client in a Web containEr (WE) profile: web-based applications –User behind a Client (UbC) profile: non web-based applications

18 Connect. Communicate. Collaborate The AAI of perfSONAR MDM: AC profile Connect. Communicate. Collaborate Unique and non-transferable ID for each client –URN obtained from eduGAIN registry service Private and public key valid in the eduGAIN trust model –Subject Alternative Name of the cert contains the URN –Obtained from eduGAIN PKI Security Token is based on the X.509 certificate

19 Connect. Communicate. Collaborate The AAI of perfSONAR MDM: AC profile Connect. Communicate. Collaborate Authentication data included in the SOAP header Certificate of the client sent following the X.509 profile of WS-SEC Generation of the ws-sec element is a proof of the authenticity of the client Certificate contains the component ID It is used for the Subject in the Attribute Request

20 Connect. Communicate. Collaborate The AAI of perfSONAR MDM: UbC profile Connect. Communicate. Collaborate A similar case than AC –An online CA for getting the certficate SASL CA

21 Connect. Communicate. Collaborate The AAI of perfSONAR MDM: WE profile Connect. Communicate. Collaborate Uses the eduGAIN webSSO profile SAML assertions contain user’s credentials Clients must have a pair of keys valid in the eduGAIN trust model Security Token is based on SAML assertions

22 Connect. Communicate. Collaborate The AAI of perfSONAR MDM: WE profile Connect. Communicate. Collaborate Constraints of the relayed-trust SAML assertion It must be bound to the client by the H-BE User’s credentials legally obtained It must be bound to the resource by the client Malicious resource cannot re-use it This SAML assertion contains AudienceRestrictionCondition element with the component ID of the resource Authentication statement ConfirmationMethod element containing the value relayed-trust SubjectConfirmationData has the SAML assertion got from the H-BE

23 Connect. Communicate. Collaborate The AAI of perfSONAR MDM: WE profile Connect. Communicate. Collaborate Authentication data included in the SOAP header Relayed-trust SAML assertion sent following the X.509 and SAML profiles of WS-SEC Certificate contains the component ID of the client Subject of the SAML assertion used for requesting its attributes

24 Connect. Communicate. Collaborate The AAI of perfSONAR MDM: the future Connect. Communicate. Collaborate

25 Outline What is MDM perfSONAR? Which problem has been solved? The AAI of perfSONAR Conclusion and future work

26 Connect. Communicate. Collaborate Conclusion and future work perfSONAR has a full AAI with “minimal” efforts –Components for services –Libraries for services and clients –They don’t have to understand AA issues… … or almost O:-) UbC profile has to be redesigned –It uses SASL CA Bad choice –There is a solution on the way “eduroam style” We are working on the authorization part –Making easy what it isn’t easy Main goal for the future: the performance

27 Connect. Communicate. Collaborate Thank you for your attention! Any questions?

Download ppt "Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008."

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
CLARIN AAI, Web Services Security Requirements

CLARIN AAI, Web Services Security Requirements
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Connect. Communicate. Collaborate 1 QUATIC 2007 Lisbon New University (Portugal), September 12-14, 2007 Quality Assurance in perfSONAR Release Management.

Connect. Communicate. Collaborate 1 QUATIC 2007 Lisbon New University (Portugal), September 12-14, 2007 Quality Assurance in perfSONAR Release Management.
Connect. Communicate. Collaborate WI5 – tools implementation Stephan Kraft October 2007, Sevilla.

Connect. Communicate. Collaborate WI5 – tools implementation Stephan Kraft October 2007, Sevilla.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
Connect. Communicate. Collaborate GÉANT2 JRA1 & perfSONAR Loukik Kudarimoti, DANTE 28 th May, 2006 RNP Workshop, Curitiba.

Connect. Communicate. Collaborate GÉANT2 JRA1 & perfSONAR Loukik Kudarimoti, DANTE 28 th May, 2006 RNP Workshop, Curitiba.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. The Language Bank of Finland User Authentication and Authorization Service https://aai.csc.fi/

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. The Language Bank of Finland User Authentication and Authorization Service
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.

Similar presentations

Ads by Google