Presentation is loading. Please wait.

Presentation is loading. Please wait.

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant.

Published byJonathan Miles Modified over 7 years ago

Similar presentations

Presentation on theme: "Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant."— Presentation transcript:

1 Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing www.chain-project.eu proj-office@chain-project.eu Grant Agreement n. 306819 The eTokenServer: a standard-based solution developed by INFN Catania for central provisioning of robot credentials Giuseppe LA ROCCA, INFN Catania - Italy CHAIN-REDS School for Application Porting to Science Gateways, 09-20 June 2014, Catania - Italy

2 Outline  Some introductory concepts and driving considerations  Introduction to the “light-weight” crypto library  The Architecture  Java™ PKCS#11, Bouncy Castle  Java CoG Kits v.1.8.0  VOMS-Admin APIs v.3.0  Apache Tomcat 7.0.27 as a Web Container  JAX-RS 1.2 Java APIs using Jersey implementation  Summary and Conclusions CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

3 The 21 st Century Research Challenges 3 RS Ophiuchi INAF – Oss. Astronomico Palermo

4 Virtual Research Community (VRC) Grid/Cloud Infrastructure The Research Network Infrastructure provides fast interconnection and advanced services among Research and Education institutes of different countries The Research Grid/Cloud Infrastructure provides a distributed environment for sharing computing power, storage, instruments and databases through the appropriate software (middleware) e-Infrastructure “an environment where research resources (hardware, software and content) can be readily shared and accessed where necessary to promote better and more efficient research” e-Infrastructure Network Infrastructure The e-Infrastructure vision CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

5 The European Grid Infrastructure (EGI) European Over 30 countries EGI MISSION To support researchers from all disciplines with the reliable and innovative ICT services they need to accelerate excellent science. Natural sciences Physical sciences Medical and health sciences Engineering and technology Any research activity within the European Research Area EGI MISSION To support researchers from all disciplines with the reliable and innovative ICT services they need to accelerate excellent science. Natural sciences Physical sciences Medical and health sciences Engineering and technology Any research activity within the European Research Area Grid Secure sharing of IT resources Infrastructure Computers (clusters) Data Applications http://www.egi.eu/ CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

6 Some barriers limit the e-Infrastructure adoption (*) The eResearch2020 report http://www.eresearch2020.eu / Some barriers limit the e-Infrastructure adoption

7 Some introductory concepts and driving considerations Security is based on the Public Key Infrastructure (PKI) of X.509 certificates and the procedures to manage these certificates are unfortunately not straightforward There is a “scientific gap” we have to overcome before to get some benefits in using e-Infrastructures The adoption of robot certificates can reduce these barriers and help non-expert users to experience ICT-based platform technology! CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

8 Robot certificates in a nutshell  Robot certificates have been introduced to allow non- expert users to experience e-Infrastructures for research activity; – They are extremely useful, for instance, to automate Grid service monitoring, data processing production, distributed data collection systems; CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

9  Introduction to the “light-weight” crypto library:  Java™ PKCS#11, Bouncy Castle  Java CoG Kits v.1.8.0  VOMS-Admin APIs v.3.0  Apache Tomcat 7.0.27 as a Web Container  JAX-RS 1.2 Java APIs using Jersey implementation CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

10 The “light-weight” crypto library interface has been designed to provide seamless and secure access to computing e- Infrastructures, based-on gLite MW, using robot certificates The business logic of the library, combines different programming native interfaces and standards such as the: – “cryptoki” Java™ Cryptographic Token Standard Interface (PKCS#11) libraries – Open source BouncyCastle libraries – Java CoG Kits APIs – VOMS-Admin APIs – RESTful technology (JSR 311) The “light-weight” crypto library CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

11 List of SW packages adopted The Cryptographic Token Interface Standard (PKCS#11) is a standard introduced by RSA Data Security IncCryptographic Token Interface Standard (PKCS#11)RSA Data Security Inc – It defines native programming interfaces to access cryptographic tokens The Bouncy Castle APIs provide support for creating X.509 certificates (ver.1 and ver.3)Bouncy Castle The Java CoG Kits APIs allow users to provide Globus Toolkit functionality within their code without calling scripts, or in some cases without having Globus installed (v1.8.0)CoG Kits VOMS-Admin APIs (v3.0), developed in the context of the DILIGENT and D4Science projects, were used for interacting the VOMS server and retrieve the list of groups/roles per VO VOMS-AdminDILIGENTD4Science The JAX-RS (Java API for RESTful Web Services) specification presented in JSR 311 defines a standard way to deploy RESTful web servicesJAX-RS CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

12  Deployed on Tomcat Application Server (v7.0.27) Application Server Caching of proxy certificates for each valid requestID – If lifetime(requestID)-12h>0  the cached proxy is sent to the Science Gateway Thread-safe access to the list of smart cards – Evaluated performance of the server using Apache JMeter™ – ~ 6-8 sec. Waiting time for a new proxy – 20 msec. If the proxy is cached CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

13  To reduce security risks, robot certificate are saved on board of the Aladdin eToken USB smart cards The Aladdin eToken smart card can support several certificates: – 4 certificates per each eToken PRO 64KB – PKI Client supports maximum 16 slots! Hardware Tokens A token PIN is prompted every time the user needs to interact with the smart card Costs: – eToken PRO 64KB € 49,00 – eToken PKI Client € 15,90 – eToken Shell € 2,00 CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

14  The Architecture  The typical working scenario  Some REST APIs  The web interface (protected)  More info CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

15 The five-layer architecture of the “light-weight” crypto library CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

16 The working scenario… CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

17 The web interface (protected access) CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014 Use the VOMS-ADMIN APIs to get the list of FQANs

18 CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014 The web interface (protected access) Enable / Disable long-term proxy Enable RFC / Full-legacy proxyAdding additional CN (for accounting)

19 Some RESTFul APIs to request proxies / list robots https://myproxy.ct.infn.it:8443/eTokenServer/eToken/332576f78a4fe70a52048043e90cd11f? voms=fedcloud.egi.eu:/fedcloud.egi.eu&proxy-renewal=true&disable-voms-proxy=false&rfc- proxy=true&cn-label=LAROCCA Create RFC 3820 complaint proxies Create full-legacy globus proxies https://myproxy.ct.infn.it:8443/eTokenServer/eToken/332576f78a4fe70a52048043e90cd11f? voms=fedcloud.egi.eu:/fedcloud.egi.eu&proxy-renewal=true&disable-voms-proxy=false&rfc- proxy=false&cn-label=Empty eTokenServer host & port MD5Sum Options FQANs Create plain proxies (without VOMS ACs) Get the list of available robot certificates https://myproxy.ct.infn.it:8443/eTokenServer/eToken?format=json Create full-legacy globus proxies (with more FQANs) https://myproxy.ct.infn.it:8443/eTokenServer/eToken/332576f78a4fe70a52048043e90cd11f? voms=fedcloud.egi.eu:/fedcloud.egi.eu&proxy-renewal=true&disable-voms-proxy=true&rfc- proxy=false&cn-label=Empty CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014 https://myproxy.ct.infn.it:8443/eTokenServer/eToken/b970fe11cf219e9c6644da0bc4845010? voms=vo.eu-decide.eu:/vo.eu-decide.eu/Role=Neurologist+vo.eu-decide.eu:/vo.eu- decide.eu&proxy-renewal=true&disable-voms-proxy=false&rfc-proxy=false&cn-label=Empty

20 Who is using the crypto-library ?  The eTokenServer service is currently used by the following SGs / Projects: CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

21 New eTokenServer installations (being) supported by CHAIN-REDS in preparation CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

22 Summary & Conclusions  The eTokenServer is currently used as central service to provision robot proxy credentials to different VRCs  It provides a transparent and secure mechanism to access robot certificates installed on USB smart cards  The business logic relies on different standards  By design the eTokenServer is complaint with the policies reported in these two documents: EUGridPMA guidelines, OperationsGuidelineEUGridPMA OperationsGuideline CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

23 Email: sg-licence@ct.infn.it sg-licence@ct.infn.it giuseppe.larocca@ct.infn.it Social Networks: Contacts CHAIN-REDS School for Application Porting to Science Gateways – 09-20.06.2014

24 Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing www.chain-project.eu proj-office@chain-project.eu Grant Agreement n. 306819 www.chain-project.eu proj-office@chain-project.eu

Download ppt "Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant."

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Summary Role of Software (1 slide) ARCS Software Architecture (4 slides) SNS -- Caltech Interactions (3 slides)

Summary Role of Software (1 slide) ARCS Software Architecture (4 slides) SNS -- Caltech Interactions (3 slides)
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures – Proposal n. 306819 A Standard-based.

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures – Proposal n A Standard-based.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures – Proposal n. 306819 The CHAIN-REDS.

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures – Proposal n The CHAIN-REDS.
Riccardo Bruno INFN.CT Sevilla, 10-14 Sep 2007 The GENIUS Grid portal.

Riccardo Bruno INFN.CT Sevilla, Sep 2007 The GENIUS Grid portal.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) Grid Engine Riccardo Rotondo
CGW 2003 Institute of Computer Science AGH Proposal of Adaptation of Legacy C/C++ Software to Grid Services Bartosz Baliś, Marian Bubak, Michał Węgiel,

CGW 2003 Institute of Computer Science AGH Proposal of Adaptation of Legacy C/C++ Software to Grid Services Bartosz Baliś, Marian Bubak, Michał Węgiel,
Towards a Javascript CoG Kit Gregor von Laszewski Fugang Wang Marlon Pierce Gerald Guo

Towards a Javascript CoG Kit Gregor von Laszewski Fugang Wang Marlon Pierce Gerald Guo
EMI INFSO-RI-261611 EMI Quality Assurance Processes (PS06-4-499) Alberto Aimar (CERN) CERN IT-GT-SL Section Leader EMI SA2 QA Activity Leader.

EMI INFSO-RI EMI Quality Assurance Processes (PS ) Alberto Aimar (CERN) CERN IT-GT-SL Section Leader EMI SA2 QA Activity Leader.
EMI INFSO-RI-261611 SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.

EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
Unit – I CLIENT / SERVER ARCHITECTURE. Unit Structure  Evolution of Client/Server Architecture  Client/Server Model  Characteristics of Client/Server.

Unit – I CLIENT / SERVER ARCHITECTURE. Unit Structure  Evolution of Client/Server Architecture  Client/Server Model  Characteristics of Client/Server.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.

GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
The gLite API – PART I Giuseppe LA ROCCA INFN Catania Master Class for Life Science, 4-6 May 2010 Singapore.

The gLite API – PART I Giuseppe LA ROCCA INFN Catania Master Class for Life Science, 4-6 May 2010 Singapore.
GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.

GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant.

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant.
Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)

Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)
Development of e-Science Application Portal on GAP WeiLong Ueng Academia Sinica Grid Computing

Development of e-Science Application Portal on GAP WeiLong Ueng Academia Sinica Grid Computing
Www.egi.eu EGI-InSPIRE RI-261323 www.egi.eu EGI-InSPIRE RI-261323 A new “lightweight” Crypto Library for supporting an Advanced Grid Authentication Process.

EGI-InSPIRE RI EGI-InSPIRE RI A new “lightweight” Crypto Library for supporting an Advanced Grid Authentication Process.

Similar presentations

Ads by Google