2015/6/21 UPKI project update Yasuo Okabe Academic Center for Computing and Media Studies Kyoto University
2015/6/22 UPKI ― Inter-University Authentication and Authorization Platform for CSI Conducted by NII and the information infrastructure centers in 7 universities Supported by Ministry of Education, Science and Technology Campus AAI UPKI common specification UPKI A 大アクセスポイント B 大の教授 B 大職員 A 大学 B 大学 C 大学 C 大電子コンテンツ B 大アクセスポイント Wireles LAN roaming C 大事務システム
NII International Workshop on Cyber Science Infrastructure 3 UPKI: concept Targets various applications SSO of Web services Digital Signature/Encryption by S/MIME Network Services wireless LAN roaming and VPN Grid computing Utilization of PKI “U” stands University/Universal/Ubiquitous Deployment of Grid/PKI middleware for national academic AA infrastructure
2015/6/24 Planned Schedule of UPKI Developing, deploying and fostering new applications UPKI common Specification Applications UPKI Initiative 2006 FY 2007 FY 2008 FY founded ・ Gathering common interests and opinions, and feedback, ・ Interoperability check, knowledge transfer, publicity, tutorial works, … Campus PKI specification Model design Outsource model Campus PKI CP/CPS template Outsource model 2009 FY and later CA software Development of CA software package Distribution and support for deployment of CA software package Insource model, multi-university cooperative model Wireless LAN roaming Single Sign On to Web Services S/MIME ・ Deployment of campus PKI at each university ・ Connecting universities ・ Federation of applications etc.
2015/6/25 Ongoing Subprojects Designing Common CP/CPS, Profiles, … Development and Deployment of “NAREGI-CA” Certificate Authority Middleware PKI based Applications InterUniversity Web SSO SAML2.0/Shibboleth + PKI Wireless LAN Roaming 802.1X, EduRoam compatible ( VPN Secure Service via S/MIME Supercomputing Grid etc.
2015/6/26 UPKI three layer Architecture Shibboleth/SAML
2015/6/27 Subprojects by NII UPKI common CP/CPS 【 WP1 】 Public server certificate 【 WP2 】 Inter-University W-LAN roaming 【 WP3 】 SSO for Digital Library Service by NII and other universities via Shibboleth/SAML 【 WP4 】 Development of CA middleware 【 WP5 】 Deployment of S/MIME signature/encryption architecture 【 WP6 】
2015/6/28 Operation Models of CA Insource Univ RA IA Univ. provider Full outsource RA IA IA outsource Univ provider IA RA CP/CPS
2015/6/29 NAREGI National Research Grid Initiative collaboration projects among industry, academic sector and the government.
2015/6/210 NAREGI Grid Middleware stack
2015/6/211 Nationwide Academic Grid Networks over SuperSINET (experimental) AIST (Tsukuba) Kyushu I. Tech. NAREGI Grid network Kyushu U. I. Molecular Sci. (Okazaki) Tokyo I. Tech. Osaka U. NII NAREGI core NAREGI NII Cluster NAREGI IMS Cluster Doshisha SD 8-center Grid Computing WG network Hokkaido U. Tohoku U. U. Tokyo Nagoya U. Doshisha U. Kyoto U. Kyushu U.
2015/6/212 NAREGI Certification Service CA Software (NAREGI-CA) Policy Management Management(NAREGI-PMA) Operation (NII GOC CA) - CP/CPS -Satisfy APGrid minimum requirement minimum requirement - CA/RA - UI (Character, Web) - Operation of CA - Authorized by the APGrid PMA Production Level CA PMA Production Level CA
2015/6/213 NAREGI-CA A full-fledged CA (Certificate Authority) Software for PKI Originally developed for Grid computing, but can be used for general purpose Free open source software Ver2.0 (May ) Ver2.0 (May ) is available at Research collaboration Audit of CA :AIST, JapanAudit of CA :AIST, Japan PMA for international cooperation : APGRIDPMA for international cooperation : APGRID User Sites NAREGI, AIST, Several UniversitiesNAREGI, AIST, Several Universities
2015/6/214 Comparison among CA softwares Product nameIssue of Certif. CRL periodi cal LDAPHSMMultip le CA Profile manage ment HW token Operat or Loggi ng NAREGI CA file, bulk, WEB, LCMP ○○○○○○○○ OpenSSL file ×××○×××× Microsoft Certificate Server WEB, LDAP ○ △ (Active Directory only) △ (Domain Controll er onlu) × △ (Domain Controller only) ○× △ (Event logging) Entrust Authority CMP, bulk, LDAP,WEB, SCEP ○○○×○○○○ ○ : available 、 × : not available 、△: some restriction
2015/6/215 License ID management Transfer authentication responsibility to Local RA Grid operation extensions Assistance of Grid-mapfile creation Dual interfaces for certificate request Web & command line enrollment CA/RA architecture Independent Registration Authority (RA) Server Practical CP/CPS Template NAREGI-CA Software Features
2015/6/216 NAREGI-CA Architecture RA (Registration Authority) CA (Certificate Authority) Local RA (Site Administrator) End User &Host Administrator Site Administrator ① Get License ID ② Authorize to pass License ID ④ Pass License ID & Public Key ⑦ Get Certificate ⑤ Send CSR ⑥ Issue Certificate ③ Generate a Key Pair ⑧ Get Grid Map file
2015/6/217 CA Administrator CARA RA Administrator IC Card Enhanced procedure to issue certificate User CA Administrator RA Administrator RA Operator User License ID Identify Issue Certificate RACA Apply License ID Identify Authorize Issue Certificate Application Server (web) Management Server (web) Delegate Challenge PIN License ID
2015/6/218 CampusCA Issue Certificate Campus PKI Grid PKI NAREGI CA Super Computer Grid System Super Computer Issue Certificate Request Certificate (Use IC Card as credential) LDAP NAREGI RA IC Card Certificate for Grid System Access User Campus-Grid PKI Federation
2015/6/219 UPKI Initiative Founded in 16 Aug 2006 Sponsored by NII AAI TWG Mission Gathering interests and opinions of not only universities but also industries AAI TWG UPKI Initiative Univ Tech. College J. College Common specification join Research Institute Hokkaido UTohoku UU. TokyoNagoya U Kyoto UOsaka UKyushu U KEKTokyo Tech NII NII CSI Headquarter Opinions and comments etc.
NII International Workshop on Cyber Science Infrastructure 20 Summary UPKI national academic authentication and authorization infrastructure project has started. Conducted by NII and the information infrastructure centers in the 7 universities As a basic platform of Cyber Science Infrastructure We have started later, so we have get some advantages International federation/collaboration is a very important issue.
2015/6/221 APAN Middleware Working Group APAN (Asia-Pacific Advanced Networking) 20 th APAN (Taipei, Aug. 2005) National Authentication and Authorization Infrastructure and NREN (proposed session) 21 st APAN (Tokyo, Jan. 2006) Middleware Workshop (full day) Middleware Working Group is approved for a period of two years 22 nd APAN (Singapore, today) Grid Middleware Workshop 23 rd APAN (Manila, Jan. 2007) Grid Middleware Workshop 24 th APAN (Xian, Aug. 2007) Middleware Workshop