14-Nov-05 JISC Core Middleware Meeting 1 Middleware Initiatives in Australia Alex Reid Director, eResearch/Middleware, AARNet

14-Nov-05JISC Core Middleware Meeting 2 Contents Australian Research Infrastructure Government Initiatives NREN Middleware Strategy MAMS PKI Project eduroam

14-Nov-05JISC Core Middleware Meeting 3 National Research Infrastructure Backing Australias Ability – An Innovation Action Plan for the Future 2001/2004: $3 billion over 5 years from $5.3 billion over 7 years from Systemic Infrastructure Initiative (SII) to upgrade research infrastructure at Australian universities: $246m over 5 years from to $542m over 6 years from to HEBAC (Higher Education Bandwidth Advisory Committee) ARENAC (Australian Research and Education Network Advisory Committee) orities/australian_research_and_education_network/arenac.htm orities/australian_research_and_education_network/arenac.htm HEIIAC -> ARIIC (Australian Research Information Infrastructure Committee) NRIT (National Research Infrastructure Task Force) search_infrastructure_taskforce_framework/default.htm search_infrastructure_taskforce_framework/default.htm NCRIS (National Collaborative Research Infrastructure Strategy) eResearch Coordinating Committee t.htm/ t.htm/

14-Nov-05JISC Core Middleware Meeting 4 Research Infrastructure Framework BAA $3b + $5.3b HEIIAC ARIIC FRODO $12m MERRI $19m HEBAC ARENAC NREN $70m NRIT NCRIS eRCC eResearch $??? SII $246m + $542m

14-Nov-05JISC Core Middleware Meeting 5 AARNet3 Components APL Tender for v3 of AARNet mid-2004 ARENAC $70m + APL own reserves National Backbone: own 2 fibre pairs across the country – deployed since 2004 at 10Gbps Regional Network: diverse routes, using DWDM, up to 320Gbps International Links: IRU on 2x 10Gbps fibres across the Pacific (SCCN) – PoPs in Seattle, LA Commodity connectivity in Australia & USA (Seattle, Palo Alto) Participate in TEIN2 – PoPs in Singapore & Frankfurt

14-Nov-05JISC Core Middleware Meeting 6 AARNet3 Infrastructure – National

14-Nov-05JISC Core Middleware Meeting 7 AARNet3 Infrastructure – Comparison

14-Nov-05JISC Core Middleware Meeting 8 AARNet3 Infrastructure – Global

14-Nov-05JISC Core Middleware Meeting 9 Place of Middleware Facilities, Services, Resources: Processing, Data Storage, Instruments, Electronic Information Local, Regional, National & International Network Infrastructure Authentication, Authorisation, Access, Accounting: PKI, Shibboleth, etc Knowledge Management, Resource Management, Collaboration Tools, Grid Services Applications, Human Interfaces Users Middleware: Application- independent; Resource- & Location-neutral

14-Nov-05JISC Core Middleware Meeting 10 Draft Middleware Action Plan Following National Forum Dec-04, a Draft Plan was agreed: Undertake an environmental scan. Establish a single PKI Certification Authority for R&E. Establish a sound basis for federated security systems in Australia that will scale to international federations. Establish appropriate mechanisms to coordinate all R&E Middleware initiatives in Australia. Agree to investigate adopting Shibboleth. Establish and sustain strong connections with relevant Australian initiatives/entities. Establish and strengthen overseas links. Promote the swift implementation of enterprise directory services at all Australian education and research institution. Develop strong visibility for and marketing of the Middleware agenda in Australia.

14-Nov-05JISC Core Middleware Meeting 11 Survey of Identity & Access Management Undertaken in May 2005 Establish State-of-Play at Australian universities Identify best practice, barriers to rapid implementation, authorisation requirements Goal is: –pervasive, federated infrastructure that integrates organisations internally while simultaneously allowing them to interoperate with others [Burton Group, 2002] 49% response (low, due to complexity) Currently: –Usernames/passwords, Same Sign-on, EZProxy, VPNs, LDAP, in- house integration Moving to: –Single Sign-on, automated integration (data feeds from corporate systems), Portals, PKI Barriers: –Resources, high risk to critical systems, lack of standards/guidance & training, coordinated middleware

14-Nov-05JISC Core Middleware Meeting 12 ARIIC Projects 1 st Round (FRODO) 22-Oct-03 ($12m): (Federated Repositories of Digital Objects) –MAMS (Meta Access Management System) $4.2m –ARROW (Australian Research Repositories Online to the World) –ADT (Australian Digital Theses Program Expansion) –APSR (Australian Partnership for Sustainable Repositories) 2 nd Round (MERRI) 22-Aug-05 ($19m): (Managed Environment for Research Repository Infrastructure) –MAPS –PKI/Shibboleth (operationalise the CAUDIT PKI Standards Project) –18 Others (mostly specific collections development/access & digitisation)

14-Nov-05JISC Core Middleware Meeting 13 ARIIC MERRI Grant – MAPS Announced by Minister 22-Aug-05 $582,910 granted Lead site: University of Queensland (Nick Tate) Supported by: CAUDIT, CAUL, Monash, ANU, Macquarie, AARNet, GrangeNet From now till end 2006 Purpose: –This project will identify the software and services (middleware) that are currently being used in Australia to link applications across a range of resources on networks and computer systems in Australian universities. The MAPS project will identify existing areas of activity in the university and research sectors, and use these results to tap into the expertise across the sector to build a strategic plan of activities and projects for an Australian collaborative middleware strategy. This is an important project whose outcomes will enable other projects to leverage off common infrastructure and focus on providing new services that can be shared across the education and research sectors.

14-Nov-05JISC Core Middleware Meeting 14 MAPS Activities Goal: Agreed Strategy for Middleware Deployment and Development (note the 2 strands) Project Manager Steering Committee, Reference Group, Kick-off Forum Wide consultation: committees, forums, wikis, mailing lists, Website Environmental Scan/Stocktake (local and global) Analysis of findings, development of draft Strategy Expert Reports Round-Table Finalisation of Strategy Future Funding Proposals

14-Nov-05JISC Core Middleware Meeting 15 Existing Middleware Activity APAC Grid ( ) Nimrod-G ( ) CAUDIT-PKI ( 4/ref/CAUDIT%20PKI%20Standards%20Proposal%20-%20V5.doc ) 4/ref/CAUDIT%20PKI%20Standards%20Proposal%20-%20V5.doc AARLIN ( ) DEST/JISC e-Framework eduroam Emerging developers, end users, identity providers, service providers MAMS ( ): –Developing hands-on technical/policy experience with Shibboleth within the community –Test Shibboleth federation is being established, including a WAYF server –Scouting for suitable test IdPs and SPs

14-Nov-05JISC Core Middleware Meeting 16 MAMS – Broad Goals Meta-Access Management System Addressing the Authentication, Authorisation, Identity, Single- Sign-On, Federation, Trust, Security, Digital Rights and Automated Access Policy Cluster of Problems!! Iterative demonstrations to help drive the gathering of user requirements Development of common services prototypes –Intra-institutional multi-modal SSO –Inter-institutional access management Attribute exchange (Shibboleth) Automation of policy –Federated and extensible identity –Other common services: DRM, search, metadata Implementation advice and programs

14-Nov-05JISC Core Middleware Meeting 17 MAMS Next Steps Shibbolise Fedora, Dspace repository systems Add Shib to test environments at NLA, APSR, … Organise install-fests (SSO workshop) & roadshows Offer support (CMS, forum, mailing-list, FAQs) Start an Australian Federation: –3 levels: Test-Fed (sand pit); OZFed (identity verification); Legal (technically = OZFed, but formal agreement like InCommon) Integrate cross-domain SSO with institutional SSO Integrate with desktop SSO (Kerberos) Integrate XACML into SAML Develop plug-ins for legacy systems Develop ARP manager (Sharpe) & provisioning tools Easy installation packages (Shib+WebISO) Virtual Organisation (client & server) packages Offer policy & legal documents, etc…

14-Nov-05JISC Core Middleware Meeting 18 MAMS ARP Editor – Sharpe Manage SP: - Add & Delete SPs Manage Attribute Mapping: - Create, Edit, Copy (clone), Delete Mapping Sets Manage SP Contracts: - Create, Edit, Delete SP Contracts Manage User Contracts: - Create, Edit, Delete User Contracts

14-Nov-05JISC Core Middleware Meeting 19 CAUDIT PKI Project The CAUDIT PKI Project involves developing a single national PKI standards framework for HE & Research, including: –Certification Authority (CA) –Registration Authorities (RA) – 50+ –Certificate Policy (CP) –Certification Practice Statement (CPS) –Able to scale to 1 million clients Initially built purely for test/trial purposes: –not evolve into a production service model; –only survive until late 2005; –support 4 levels of assurance; –support cross-certification; –support embedding in web browsers (positive Microsoft discussions); –support signed s.

14-Nov-05JISC Core Middleware Meeting 20 CAUDIT PKI Project Certification Levels Certificate Level Description Level 1 No proactive identity check has been provided to the RA. However identity information has been provided by a body that the RA has a trust relationship. Example: A student being enrolled in at least one subject is sufficient for the certificate issuing however identity information has only been supplied by QTAC (or similar state body). Level 2 Subject is required to provide proof of identity by an in-person appearance to the RA. However the individual for what ever reason can not provide the required 100 points of identification. Example: A contractor, who is at an institution for a short time but needs access to a system protected by PK, may not have enough credentials on her person to meet the 100 points check but can provide some credentials like a drivers licence and/or credit card. Level 3 Subject is required to provide proof of identity by an in-person appearance to the RA. That proof should accrue to at least 100 points of identity. Example: A foreign staff member that has a valid passport and has a written reference from an acceptable referee. Level 4 Subject is required to provide the same information for Level 3 certification in addition to a positive check to be conducted by an appropriate external agency.

14-Nov-05JISC Core Middleware Meeting 21 PKI Trust Model AusCERT Root CA is trust anchor for the CAUDIT PKI Old CAs continue to work Cross-certifies with national, international and global PKIs (eg HEBCA) AusCERT will provide: –PMA –Directory of Directories –Single point Certificate Dissemination. –Single point CRL and OCSP. –Virtual CA for institutions that can t deploy own PKI PMA = Policy Mgt Authority; CMS = Cert Mgt System; CRL = Cert Revocation List; OCSP = Online Cert Status Protocol

14-Nov-05JISC Core Middleware Meeting 22 CAUDIT PKI Project Status Current Status: The AusCERT Root CA and the 4-Certification-Level CA have been set up and are issuing certificates. UQ has set up its 4 Institution Level CAs and is issuing end-entity certificates. Monash and Victoria Universities have set up their Institution Level CAs and issuing end-entity certificates; they are now heavily involved in client and CMS capability and interoperability studies with UQ and AusCERT. Certificate Policy/ Certification Practice Statement has been drafted and sent to participant universities for feedback. A few pilot sites have dropped out because they couldn't supply the necessary resources; the others have also had resourcing issues but are soldiering on. Final Report submitted October Next Step is to turn it into a production system, and establish close ties with Shibboleth (authorisation elements) – this has been funded as part of MERRI

14-Nov-05JISC Core Middleware Meeting 23 eduroam Being undertaken jointly by AARNet & GrangeNet 17 members signed up Deploy eduroam in AARNet offices & staff Write and seek endorsement for national eduroam policies (ratification by CAUDIT imminent) Promote and participate in eduroam developments within the APAN region Participate in eduroam global working group See

14-Nov-05JISC Core Middleware Meeting 24 Global Middleware Involvement Europe –Close co-operation with JISC, Terena and European NRENs on eduroam & other Middleware activities Americas –Working on eduroam and Shibboleth activities APAN (Asia-Pacific Area Network) –Taking responsibility for advancing Middleware awareness/agenda within APAN –APAN Middleware mailing list –APAN Middleware stream for Jan 2006 Tokyo APAN meeting Global –Convened eduroam global working group –Involved in general Middleware policy (eg Slaughter meeting) –Global Research & Education Federations mailing list (Refeds) –MACE/MICE participation

14-Nov-05JISC Core Middleware Meeting 25 END QUESTIONS??? For further information about Australian Middleware developments, see: Alex Reid James Sankar: