Toward Production Level Operation of Authentication System for High Performance Computing Infrastructure in Japan Eisaku Sakane and Kento Aida National.

Slides:

Advertisements

Similar presentations

UPKI Inter-University Authentication and Authorization Platform for Japanese Cyber-Science Infrastructure Yasuo OKABE Academic Center for Computing and.

Advertisements

eduroam Delegate Authentication System with Shibboleth SSO

Lousy Introduction into SWITCHaai

Introduction of Grid Security

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

MyProxy: A Multi-Purpose Grid Authentication Service

Status Report: JLDG ( T. Yoshie for JLDG) AGENDA 1. Current Status of JLDG 2. Reconfiguration/Extension Plan 3. Funding.

Job submission architectures in GRID environment Masamichi Ando M1 Student Taura Lab. Department of Information Science and Technology.

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

Password?. Project CLASP: Common Login and Access rights across Services Plan

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,

Password?. Project CLASP: Common Login and Access rights across Services Plan

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

An Authorization System for Grid Applications Thesis Presentation 5 th Dec 2006 Author: Wang Xiao Supervisor: Professor Heikki Hämmäinen Instructor: MSc.

2015/6/21 UPKI project update Yasuo Okabe Academic Center for Computing and Media Studies Kyoto University.

Password? CLASP Phase 2: Revised Proposal C5 Meeting, 16 February 2001 Denise Heagerty, IT/IS.

GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,

Grid security in NAREGI project July 19, 2006 National Institute of Informatics, Japan Shinichi Mineo APAN Grid-Middleware Workshop 2006.

FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)

Digital Object Architecture

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

Kento Aida, Tokyo Institute of Technology Grid Challenge - programming competition on the Grid - Kento Aida Tokyo Institute of Technology 22nd APAN Meeting.

ITS NCID Next Generation (NG) Project Overview February 24, 2010.

Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.

Data GRID Activity in Japan Yoshiyuki WATASE KEK (High energy Accelerator Research Organization) Tsukuba, Japan

A DΙgital Library Infrastructure on Grid EΝabled Technology ETICS Usage in DILIGENT Pedro Andrade

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

MetaCentrum – the Czech computational grid Martin Kuba CESNET and Masaryk University Brno, Czech Republic.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Introduction of NAREGI-CA National Institute of Informatics JAPAN Toshiyuki Kataoka, July 19, 2006 APAN Grid-Middleware Workshop, Singapore.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

The II SAS Testbed Site Jan Astalos - Institute of Informatics Slovak Academy of Sciences.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

09/02 ID099-1 September 9, 2002Grid Technology Panel Patrick Dreher Technical Panel Discussion: Progress in Developing a Web Services Data Analysis Grid.

1 ILDG Status in Japan  Lattice QCD Archive(LQA) a gateway to ILDG Japan Grid  HEPNet-J/sc an infrastructure for Japan Lattice QCD Grid A. Ukawa Center.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Tokai Academic Cloud: An Experimental Intra And Inter- institutional Cloud Infrastructure among National Universities in The Tokai Region of Japan Shoji.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

1 UPKI-Federation based on Shibboleth National Institute of Informatics Motonori Nakamura Toshiyuki Kataoka, Kyoto University Yasuo Okabe.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

KEK GRID CA updates Takashi Sasaki Computing Research Center KEK.

UPKI Activities - July NII & UPKI Initiative Hideaki Sone, Tohoku University.

GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

The Roadmap of NAREGI Security Services Masataka Kanamori NAREGI WP

Module 1: Introduction to Windows 2000 and Networking.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

Information Initiative Center, Hokkaido University North 11, West 5, Sapporo , Japan Tel, Fax: Management.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.

Gang Chen, Institute of High Energy Physics Feb. 27, 2012, CHAIN workshop,Taipei Co-ordination & Harmonisation of Advanced e-Infrastructures Research Infrastructures.

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

Presentation transcript:

Toward Production Level Operation of Authentication System for High Performance Computing Infrastructure in Japan Eisaku Sakane and Kento Aida National Institute of Informatics Eisaku Sakane and Kento Aida, National Institute of Informatics

Introduction High Performance Computing Infrastructure (HPCI)  national project promoted by Ministry of Education, Culture, Sports, Science and Technology (MEXT) in Japan  distributed computing infrastructure for high performance computing “K computer”, supercomputers and high performance storage  first production level infrastructure for high performance computing in Japan Roadmap  – Mar 2011basic design network, authentication, user management, shared storage, testbed for advanced software  Apr – Dec 2011 detailed design  Jan – Oct 2012test operation  Nov 2012 –production level operation Eisaku Sakane and Kento Aida, National Institute of Informatics This talk presents pilot operations of the authentication system for HPCI.

portal CA system shib. SP shared storage single sign-on apply certificate authentication network infrastructure computer resource shib. IdP shib. IdP shib. IdP shib. IdP shib. IdP shib. IdP HPCI acct. HPCI ID registration review proposals user management certificate repository HPCI Overview (at Nov. 2012) Eisaku Sakane and Kento Aida, National Institute of Informatics More resources will be connected after AICS, U. Tokyo NII HPCI Secretariat （ organized in 2011 ） acct. registration helpdesk computer resource computer resource AICS (K-computer) Supercomputer Centers in 9 Universities

SINET4 SINET4: Science Information NETwork 4 Eisaku Sakane and Kento Aida, National Institute of Informatics

user IX （ Tokyo) resource provider IX （ Osaka) AICS LAN user compt. resource storage university commercial network non-commercial network CA portal university user compt. resource storage resource provider university user compt. resource storage user compt. resource storage QoS VPN SINET4 (cont’d) connection to 700+ academic sites IX for commercial networks  134 （ 30Gbps ） in Tokyo  22 （ 11Gbps ） in Osaka Eisaku Sakane and Kento Aida, National Institute of Informatics 80Gbps backbone （ planned in 2011 ） L3VPN, L2VPN/VPLS, QoS

AICS and Supercomputer Centers in Japanese Universities Kyushu Univ. ： PC Cluster (55Tflops, 18.8TB) SR16000 L2 (25.3Tflops, 5.5TB) PC Cluster (18.4Tflops, 3TB) Kyushu Univ. ： PC Cluster (55Tflops, 18.8TB) SR16000 L2 (25.3Tflops, 5.5TB) PC Cluster (18.4Tflops, 3TB) Hokkaido Univ. ： SR11000/K1(5.4Tflops, 5TB) PC Cluster (0.5Tflops, 0.64TB) Hokkaido Univ. ： SR11000/K1(5.4Tflops, 5TB) PC Cluster (0.5Tflops, 0.64TB) Nagoya Univ. ： FX1(30.72Tflops, 24TB) HX600(25.6Tflops, 10TB) M9000(3.84Tflops, 3TB) Osaka Univ. ： SX-9 (16Tflops, 10TB) SX-8R (5.3Tflops, 3.3TB) PCCluster (23.3Tflops, 2.9TB) Kyoto Univ. T2K Open Supercomputer (61.2 Tflops, 13 TB) Tohoku Univ. ： NEC SX-9(29.4Tflops, 18TB) NEC Express5800 (1.74Tflops, 3TB) Univ. of Tsukuba ： T2K Open Supercomputer 95.4Tflops, 20TB Univ. of Tokyo ： T2K Open Supercomputer (140 Tflops, 31.25TB) AICS, RIKEN ： K computer K computer (10 Pfflops, 4PB) Available in 2012 AICS, RIKEN ： K computer K computer (10 Pfflops, 4PB) Available in 2012 A 1 Pflops machine without accelerator will be installed by the end of 2011 Tokyo Institute of Technology ： Tsubame 2 (2.4 Pflops, 100TB) source: Y. Ishikawa, Univ. of Tokyo Eisaku Sakane and Kento Aida, National Institute of Informatics

Hokkaido University Tohoku University University of Tokyo University of Tsukuba Tokyo Institute of Technology Nagoya University Kyushu University Osaka UniversityKyoto University AICS, RIKEN 12 PB+ storage 10 PB+ storage HPCI WEST HUBHPCI EAST HUB Gfarm2 is used as the global shared file system Storage source: Y. Ishikawa, Univ. of Tokyo Eisaku Sakane and Kento Aida, National Institute of Informatics

Authentication The goal is enabling single sign-on computer resources and shared storage in HPCI. survey of existing software technologies and operation of grid infrastructures account management  centralized or distributed? Eisaku Sakane and Kento Aida, National Institute of Informatics user portal HPCI acct/password login to computers access to shared storage single sign-on % gsi-ssh host.univ.ac.jp (1)sign-on the portal with HPCI acct. (2) ssh login to computers without password

Shibboleth + GSI Shibboleth for account management of HPCI  HPCI account = account to sign-on HPCI  federation of HPCI accounts managed in distributed way using Shibboleth A user has a HPCI account in one supercomputer center. Grid Security Infrastructure (GSI) for single sign-on  de facto in grid communities  enabling single sign-on using PKI  creating proxy certificate and delegation  mapping “Distinguished Name (DN)” in a client certificate and a local account in supercomputer centers grid-mapfile Eisaku Sakane and Kento Aida, National Institute of Informatics "/C=JP/O=NII/OU=CGRD/CN=Kento Aida” aida

Pilot Operations 1 st phase: Apr – Dec 2011  objective: for operation organizations to get used to operate GSI and Shibboleth systems  National Institute of Informatics operating CA system and Portal building an experimental CA system including a certificate repository –UMS provided by Shibbolized NAREGI Middleware v1.1 building an authentication portal with a proxy certificate repository –portal provided by Shibbolized NAREGI M/W  Supercomputer centers building Shibboleth IdP setting up a GSI-enabled ssh server and client as SP Eisaku Sakane and Kento Aida, National Institute of Informatics

Architecture Eisaku Sakane and Kento Aida, National Institute of Informatics Certificate Management System CA System (Shib. SP) Portal (Shib. SP) Proxy Cert. Repository Shib. DS Shib. IdP web browser GSI-SSH client National Institute of Informatics Supercomputer Centers SINET 4 apply certificate sign-on HPCI login to compt. resources Account DB GSI-SSH Server Supercomputer Centers, AICS storage Cert. Repository

Screenshots Eisaku Sakane and Kento Aida, National Institute of Informatics

Result of 1 st phase We confirmed the followings  Sign-on the authentication portal with Shibboleth federation mechanism  getting a end-user certificate via the authentication portal  generation a proxy certificate and downloading it to end-user’s terminal computer  logging in 9 supercomputer centers by using GSI-enabled SSH The system works as single sign-on system. Documents for HPCI users and administrators were revised according to feedback from participating organizations Problem  port number (22/tcp) collision between SSH and GSI-enabled SSH  Administrators are reluctant to stop sshd or replace with gsi-sshd because of security policy of supercomputer center.  We will unify the port number for gsi-sshd with another port number. Eisaku Sakane and Kento Aida, National Institute of Informatics

Pilot Operations (cont’d) 2 nd phase: Jan 2012 –  objective: evaluation of the authentication system and feedback  building a production level CA system preparing dedicated machines, HSM performing key ceremony examinations on normal or abnormal operations replacing certificates in 1 st phase with new certificates issued by new CA  building an authentication portal for HPCI  collaboration with the HPCI secretariat the role of the HPCI secretariat –proposal to use HPCI (including registration of HPCI ID) –notification of review –coordination among resource providers, … HPCI-ID is important because it connects subject DN with local account. combination examination between NII (CA), supercomputer centers (RPs) and HPCI secretariat Eisaku Sakane and Kento Aida, National Institute of Informatics

Connecting Subject DN with LN Flow until subject DN and local account name (LN) are connected  A HPCI-ID is assigned to an end-user.  The HPCI secretariat notifies CA and RPs of the HPCI-ID.  CA manage subject DN with HPCI-ID.  RP manages local account name with HPCI-ID.  RP inquires the information of CA, then generates grid-mapfile. Eisaku Sakane and Kento Aida, National Institute of Informatics CA HPCI secretariat RP HPCI-ID aida (LN) "/C=JP/O=NII/OU=CGRD/CN=Kento Aida” aida /C=JP/O=NII/OU=CGRD/CN=Kento Aida

Conclusions This talk presents an evaluation experiment of the authentication system for HPCI. current status and future work  network SINET4 has started production level operation in  authentication entering on 2 nd phase of evaluation experiment built a production level CA system in NII and evaluated its performance starting test operation of the production level system from Feb 2012 considering when we switch hash algorithm in digital signature to SHA-2  user management still preparing to start HPCI secretariat starting test operation as soon as possible Eisaku Sakane and Kento Aida, National Institute of Informatics